This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How can we track updates happening to parser in google chronicle ?

Posted on 02-14-2025 02:38 AM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi ,

How can we track updates happening to parser in google chronicle ?
Recently we had a scenario where one of our use cases did not trigger due to the field value change .
we had an alert of a user adding to a group ,however the UDM field for the group was later seen to have changed .Hence it did not trigger . 

So would like to know how can we know updates as an email notification ?

1 4 259
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
t-martin
Staff
Reply posted on --/--/---- --:-- AM

You can view changes to parsers using this page: https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers

If you click into the release notes for a specific parser, you can then add that page to a collection using the in-page bookmark icon. After that, in your Google Developer Program (top-right) Saved Pages you can manage these collections. In your Profile Settings, ensure you have enabled notifications for documentation Release Notes. This should result in an email notification when any parsers you add to your collection have updated release notes.

0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @rahul7514,

When updating a parser, you can select 'diff only fields', which will show you the fields that are different between the previous and new parser. Unfortunately, there is no easy way (that I am aware of) on autonomously identifying whether an update to a parser will affect xxx rules.

 

However, you could utilise the retrohunt endpoints, and for example build a flow in a CI/CD pipeline to do the following

Parser Request Modification -> Identify rules that utilise that parser -> Run a retrohunt on xxx rules -> Apply parser modification -> Run a retrohunt on xxx rules again -> Compare the difference.

Kind Regards,

Ayman

0 Likes

Posted on --/--/---- --:-- AM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

When google updates parser for a log type. Does it get pushed automatically to my console or do i need to manually push the update?? 

0 Likes

Posted on --/--/---- --:-- AM
amithpatil
Staff
In response to rahul7514
Reply posted on --/--/---- --:-- AM

Hi!

Once a parser update becomes available, you will have the ability to manually update the parser in the Parsers page under Siem settings > Parsers. They will be auto updated on the 4th week of every month : 

 

 

0 Likes
Top Solution Authors
View all