I have some doubts about the parsing, I am new to the tool and I am wondering how to update the parsing and if there are conflicts when performing these updates, I currently have a parsing of a Trend Micro DDI product, which I need to activate beforehand. Make a personalized parsing, if you could help me with the steps to follow to make these updates and possible consequences that could arise from these updates
I am still trying to understand what you are trying to do. There is a default parser that was updated just a couple of days ago. Do you wish to create a custom parser for it? Or do you want to make just a few changes using parser extension? The difference is that if you write a parser on your own then you maintain it and this nothing from the default parser is used. If you write an extension then you are taking advantage of default parser and make slight changes like mapping a new field or small changes. In this case, Chronicle will override the result from the default parser with your changes. Hope this helps.
https://cloud.google.com/chronicle/docs/event-processing/using-parser-extensions
https://cloud.google.com/chronicle/docs/event-processing/manage-parser-updates
Information on managing parser updates can be found here - https://cloud.google.com/chronicle/docs/event-processing/manage-parser-updates#manage_parser_updates
Can you elaborate on the parsing needs for the Trend Micro parser?
Hello @erik314
If you're using a custom parser and want to review the latest updates in the default parser, click on "View Pending Update." A parser preview will be displayed, highlighting the changes in the same window. You can incorporate these updates into your custom parser if needed. Alternatively, after reviewing the updates, you can activate and update the default parser if it's compatible.
Thanks
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.