Thank you to everyone who joined us for our latest "Webinar Wednesday" session! If you missed the live stream or want to revisit the technical demonstrations, we’ve got you covered.
In this session, we were joined by Darren Davis, Senior Solutions Consultant for Google SecOps, for a deep dive into Parsing Best Practices. Darren shared his expert methodology for normalizing data and walked us through a live demo of building a custom parser from scratch.
Here is a summary of what we discussed and where you can find specific topics in the recording. Check out the attached slide deck from the webinar and a FAQ with a list of Q&A from the livestream.
Webinar Summary
The session focused on the art of transforming raw logs into actionable security data using the Unified Data Model (UDM). Darren explained that effective parsing isn't just about getting data into the system; it's about organizing it to enable efficient search and high-fidelity detection.
Key takeaways included:
- The "Perfect Ratio": Parsing is about balancing the minimum fields required for validation with the "detrimental" data needed for detection and response.
- Methodology: A 3-step framework for custom parsing: (1) What is the log telling me? (2) What minimum fields are needed? (3) What extra data improves detection?
- Live Coding: A hands-on demonstration of the parser editor, including how to handle nested JSON, using split columns, and debugging logic errors in real-time.
Key Topics & Discussion Points
Jump straight to the sections that interest you most:
- 5:00 – Meet the Speaker: Introduction to Darren Davis and his background in SIEM migration.
- 9:07 – What is Parsing? Defining the importance of normalizing data for Security Operations.
- 10:48 – The Unified Data Model (UDM): Overview of UDM schema, event types, and required formats (JSON/Syslog).
- 14:15 – When to Customize: Identifying when you need a custom parser (e.g., bespoke apps, unsupported versions, specific compliance needs).
- 19:15 – Parsing Methodology: Darren’s personal framework for determining which fields to map.
- 25:13 – The Parser Workflow: Data Extraction vs. Manipulation vs. Assignment.
- 33:54 – Live Demo Begins: Step-by-step creation of a custom parser in the UI.
- 41:41 – Debugging Tips: How to use the state dump tool to troubleshoot your parser logic line-by-line.
- 47:48 – Advanced Logic: Using conditionals (e.g., if not JSON) to handle multiple log formats in a single parser.
Resources Mentioned
- Community Blog: "Normalize Anything with Custom Parser Development" by Darren Davis
- Medium Blog: “Parsers as Code in Google SecOps”
- Documentation: UDM usage guide & Parser syntax reference
- GitHub: GCS-webinar-parser-example
- Presentation Slide Deck (attached)
- Webinar FAQ (attached)
Still have questions about what you saw in the webinar? Post it in the section below.