Skip to main content
Solved

Need an example for Google SecOps custom parser

  • October 30, 2025
  • 8 replies
  • 146 views
JSpoorSonic
Forum|alt.badge.img+9

I am pretty new to SecOps custom parser.

I was able to write a parser extension for a Syslog product,

but now I have to create a completely new custom parser, the logs arrive in JSON format.

 

Can someone help me with some example code?

 

LOGS:

{
  "customerId": "obfuscated",
  "events": [
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:30.954000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - Authorization Code Generated"
      }
    },
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:28.916000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - device ownership and compliance check"
      }
    },
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:28.181000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - Authorization Code Generated"
      }
    },
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:11.489000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - device ownership and compliance check"
      }
    },
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:10.618000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - certificate is not revoked"
      }
    },
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:03.929000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "INFO",
        "message": "Trustscore calculated"
      }
    }
  ]
}

Best answer by mikewilusz

Welcome to the world of parsers! I have an example of JSON parsing up on my blog (with an example log and parser): https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

-mike

8 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • October 30, 2025

Here are a couple of resources to get started

Parser syntax reference

Understanding Chronicle Parsers with Visualization

JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • October 30, 2025

Here are a couple of resources to get started

Parser syntax reference

Understanding Chronicle Parsers with Visualization

Unfortunately those didn’t help me…

I am looking for an example (with the log next to it).

Thanx

mikewilusz
Staff
Forum|alt.badge.img+10
  • mikewilusz
  • Staff
  • Answer
  • October 30, 2025

Welcome to the world of parsers! I have an example of JSON parsing up on my blog (with an example log and parser): https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

-mike

kentphelps
JSpoorSonic
JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • October 30, 2025

Welcome to the world of parsers! I have an example of JSON parsing up on my blog (with an example log and parser): https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

-mike

Very well written! I’ll give this a try.

JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • October 31, 2025

Welcome to the world of parsers! I have an example of JSON parsing up on my blog (with an example log and parser): https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

-mike

Need some more help please. Thanx to your article, I got most of the details from this log:

{
  "customerId": "ae37e9f6-5bd0-409d-9efd-3244ee85ee41",
  "events": [
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:30.954000+00:00",
        "eventType": "GENERIC_EVENT"
      },
      "additional": {
        "severity": "DEBUG",
        "message": "SUCCESS - Authorization Code Generated"
      }
    }

But I can’t seem to get the eventTimestamp?

I tried:

  date {
    match => ["%{events.metadata.eventTimestamp", "yyyy-MM-dd HH:mm:ss", "UNIX", "ISO8601", "UNIX_MS"] 
    on_error => "no_date_match"
  }

 

as well as this:

  mutate {
    replace => {
      "@timestamp" => "%{events.metadata.eventTimestamp}"
    }
  }

  date {
    match => ["@timestamp", "yyyy-MM-dd HH:mm:ss", "UNIX", "ISO8601", "UNIX_MS"] 
    on_error => "no_date_match"
  }

 

But it is not getting the timestamp from the log, but rather puts in local timestamp?

JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • October 31, 2025

Welcome to the world of parsers! I have an example of JSON parsing up on my blog (with an example log and parser): https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

-mike

Need a tad more help 

I am having issues parsing the EventTimestamp from below log

{
  "customerId": "ae37e9f6-5bd0-409d-9efd-3244ee85ee41",
  "events": 
    {
      "metadata": {
        "eventTimestamp": "2025-10-29T16:17:30.954000+00:00",
        "eventType": "GENERIC_EVENT",
        "productName": "loginservice",
        "vendorName": "trustprovider"
      }

 

I already tried these:

Attempt 1:

  date {
    match => ["%{events.metadata.eventTimestamp}", "yyyy-MM-dd HH:mm:ss", "UNIX", "ISO8601", "UNIX_MS"] 
    on_error => "no_date_match"
  }



Attempt 2:
  mutate {
    replace => {
      "@timestamp" => "%{events.metadata.eventTimestamp}"
    }
  }

  date {
    match => ["@timestamp", "yyyy-MM-dd HH:mm:ss", "UNIX", "ISO8601", "UNIX_MS"] 
    on_error => "no_date_match"
  }

 

JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • October 31, 2025

Pls ignore above, found smthn that works.

Had to convert the timestamp first.

 

  mutate {
    replace => {
      "@timestamp" => "%{events.0.metadata.eventTimestamp}"
    }
  }

  mutate {
    gsub => [
      "@timestamp", "(\\.\\d{3})\\d+", "\1",  # trim microseconds to 3 digits 
      "@timestamp", "\\+00:00", "Z"            # replace +00:00 with Z

    ]
  }

     date {
        match => ["@timestamp", "ISO8601"]
        target => "cse_event.idm.read_only_udm.metadata.event_timestamp"
      }

 

mikewilusz
gkush
Staff
Forum|alt.badge.img+5
  • gkush
  • Staff
  • November 3, 2025

General point: you can always look at the default parser for any of the sources you are currently ingesting, assuming you have IAM access rights, in Settings > SIEM Settings > Parsers. Click on any given parser and “View” should appear. Then you can see a production parser.

 

The documentation page on log types will tell you which formats a parser supports -- it helps to use a parser built for JSON on a JSON log rather than KV/Syslog.  The doc page with that is here: 

https://cloud.google.com/chronicle/docs/reference/default-parsers

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.