Chronicle SIEM:
In my raw log I have a string
exposure:external
but this field is not in UDM. Is there a way specify a condition in rule to check for the string ? Or we cannot do that at all ?
Raw log string: exposure:external
+3
+12- Silver 2
You have to have a UDM event for the rules. Make a parsing request to support, and be sure to state that you want the parsed event to be searchable and usable in rules.
+4Hi Rodney, the raw log entry must first be parsed into a relevant UDM field and then this field in UDM is searchable via a UDM search or rule.
+13
This comment was originally sent by Tom Fridman
Hi
@rodneysamuel
Chronicle SIEM includes a preview feature, called Parser Extensions, that enables user defined field extractions from a raw log into UDM schema.
A parser extension is applied atop of the default parser, so you can continue to receive updates to the parser and have your custom extractions as well.
Documentation on the private preview is available here, and it is expected to go into public preview in the near future, but otherwise you could contact your Google Account team / Chronicle Partner, or try Chronicle Support to request early access if an urgent requirement -
https://cloud.google.com/chronicle/docs/preview/parser-extensions/using-parser-extensions
.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.