You have to have a UDM event for the rules. Make a parsing request to support, and be sure to state that you want the parsed event to be searchable and usable in rules.

Hi Rodney, the raw log entry must first be parsed into a relevant UDM field and then this field in UDM is searchable via a UDM search or rule.

This comment was originally sent by Tom Fridman


Hi
@rodneysamuel



Chronicle SIEM includes a preview feature, called Parser Extensions, that enables user defined field extractions from a raw log into UDM schema.





A parser extension is applied atop of the default parser, so you can continue to receive updates to the parser and have your custom extractions as well.





Documentation on the private preview is available here, and it is expected to go into public preview in the near future, but otherwise you could contact your Google Account team / Chronicle Partner, or try Chronicle Support to request early access if an urgent requirement -
https://cloud.google.com/chronicle/docs/preview/parser-extensions/using-parser-extensions
.

Thanks
@Tomtomfridman
. Relle helps! I'll try to get this enabled for us