About chrisd2

chrisd2

Hello guys,I noticed that for some API endpoints, the URL path is : https://chronicle.googleapis.com/v1alpha/{api_version}/projects/{project_id}/locations/{region}/instances/{instance} (instances.get), but I could not figure out what the api_version ...

chrisd2 · 11-06-2024

Hello everyone,I wrote a parser extension ("code" mode) for a log_type in order to add a couple fields that were not handled by the default parser.I mapped a couple raw fields to UDM fields under security_result in the parser ext.Problem: I noticed t...

chrisd2 · 09-26-2024

Hello guys,Context :I'm working on some custom parsers for some logs that cannot be made native-SecOps-parsers-compliant. Once the parser is done, I need to validate it against a large number of logs. In order to do so, I export a few tens of thousan...

chrisd2 · 09-26-2024

Hello all,I just came across the v1alpha API endpoint "logTypes.create" (link)I thought it had to be requested and then provided by Google.Does it mean that SecOps customers are autonomous for custom log_type creation ?If so, what is Google advice fo...

chrisd2 · 07-19-2024

Hello guys,Let's say I have a YARA-L rule I want to tune. I have a host-based whitelist and a username-based whitelist. I don't want any alert if the user in the log is in the username-based whitelist or if the host in the log is in the host-based wh...

chrisd2

Hello, the issue was between the keyboard and the chair. An unfortunate copy-paste led me to send POST requests instead of GET 8). Sorry to have bothered you and again, thanks for your help.Troubleshooting steps :- Use of the Google Colab Notebook to...

chrisd2

Hello,Thanks for your answer.I still cannot perform the request, I tried the following but none seem to work (still getting 404 errors) :GET https://chronicle.googleapis.com/v1alpha/projects/{project_id}/locations/{region}/instances/{instance} GET ht...

chrisd2 · 11-12-2024

Hello, the docs state that we cannot use "Map Data fields" extensions for repeated fields that are not at the lowest level of the hierarchy :Important: Data field mapping instructions can include repeated fields only when the repeated field is at the...

chrisd2 · 11-12-2024

Hello,Just to add to the conversation, for future readers, the "Map data fields" extension with "Append Values" to Reapeated Fields is not a solution to avoid overwriting of security_result by the parser extension.Indeed, from the docs :Important: Da...

chrisd2 · 11-07-2024

Hello @cmorris Here is a brief version of the parser extension :filter { mutate { replace => { "event" => "" "sec_result" => "" # Temporary token used to map log fields to security_result UDM field } } # {...} Data extraction logic redacted, all raw ...

My Stats

chrisd2's Bio

Badges chrisd2 Earned

Recent Activity

Mysterious URL parameter in some v1alpha API endpoints path

Repeated fields overwritten in parser extension (code)

Gone missing : my logs

API Endpoint logTypes.create

Boolean conditions & rule execution performance

Re: Mysterious URL parameter in some v1alpha API endpoints path

Re: Mysterious URL parameter in some v1alpha API endpoints path

Re: Repeated fields overwritten in parser extension (code)

Re: Repeated fields overwritten in parser extension (code)

Re: Repeated fields overwritten in parser extension (code)