Skip to main content

Hello,

I need to develop some code to that will export the characteristics of servers and various network elements to Chronicle SIEM as entities so it can use the information to enrich events (and later for use with Chronical SOAR). I'm told that normally this is done by interfacing with Active Directory or some sort of EDR solution, but that's not an option, so we have to roll our own, and it's proving difficult because there seems to be no concise documentation for entity processing.

What I have now is software on our side that generates JSON documents with a structure that tries to be compliant with the Entity documentation, but it's proving difficult. So two questions to begin with:

(1) Is there somewhere I could find examples of the JSON documents produced by other solutions (like AD or EDR products) for ingestion into Chronicle? I don't mean on the AD/EDR side but rather the final JSON that is ready to be ingested.

(2) Is there documentation on the Chronicle-side parser to actually ingest such documents?

It seems like there must be such documentation to support the people who did this for AD/EDR, but I have not been able to find it. Any hints?

Thanks!


Hello Karamatsu, welcome to the forum!



You might benefit from bypassing the parsers and directly ingesting entities using the REST API.



You can use the entities/import REST API method for ingestion:




I would suggest describing your servers as Asset entities. The JSON format for those can be found here:




There are some sample Python scripts for using these REST API methods available at:




I described usage of create_udm_events.py in my blog post “Events, and Lists, and Rules, oh my!”:




Are your Python skills up to the task of following those examples to create a new ingestion/v1apha/create_entities.py script?

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.