Work with community parsers in GitHub

Supported in:

Google Security Operations utilizes an open-source repository on GitHub to enable community, partner, and customer collaboration for parser development and maintenance. This repository lets community contributions expand and maintain the available set of parsers for Google SecOps.

Goals

  • Enable Community contributions: Allow external users, partners, and customers contribute new and updated community parsers.
  • Facilitate adoption: Provide users with a mechanism to adopt community parsers into their custom parser instances.
  • Ensure quality: Maintain a rigorous vetting and testing framework to validate the security and functional quality of all contributions before release.

Before you begin

Make sure you have the chronicle.parsers.create permission which is part of the chronicle.admin IAMrole.

Repository structure

All parsers are organized within the top-level parsers/ directory in the Content Hub area of the GitHub repository. Each log source has its own dedicated subdirectory.

content-hub/
└── content/
    └── parsers/
        ├── third_party/
        │   ├── community/
        │   │   ├── VENDOR1_PRODUCT1/cbn/
        │   │   └── VENDOR2_PRODUCT2/cbn/
        │   ├── partnerA/
        │   │   └── VENDOR1_PRODUCT1/cbn/
        │   └── partnerB/
        │        └── VENDOR1_PRODUCT1/cbn/
        ...

Folder naming conventions

The folder naming conventions for all subdirectories within the third_party/community/parser repository are strictly defined. These standards ensure system compatibility, discoverability for customers, and alignment with internal Google SecOps conventions.

Create a community parser in GitHub

The following section details how to create and manage community parsers.

Locate and download community parsers

  1. Navigate to the required log type folder.
  2. Review the metadata.json file to check for references related to the log sources supported by the parser.
  3. Download the parser.conf file which contains the core parser logic in CBN syntax.

Deploy community parsers in Google SecOps

The following step explains how to copy and convert a community parser into your own custom parser instance. Once deployed, the parser operates as a custom parser that you maintain.

  • In your Google SecOps instance, upload or paste the contents of the downloaded parser.conf file into the corresponding fields in the Create Parser page in SIEM Settings.

Validate the custom parser

After you deploy the parser in your Google SecOps instance, built-in custom parser validations are automatically triggered to check for potential pipeline failures or normalization issues. If these validations fail, you must fix the parser logic or modify your copy of the parser to align with your specific use case. We encourage you to contribute corrections or enhancements back to the community repository and become an active participant in the open-source community.

For detailed information on contributing new parsers or updating existing ones in GitHub, see GitHub parser instructions.

If you encounter any issues with the integration, open a case in GitHub.

Need more help? Get answers from Community members and Google SecOps professionals.