Silver Parsers for Cybereason
Crest team developed standardized parsers for Cybereason XDR platform to enable swift adoption.
Home > Case Studies > Silver Parsers for Cybereason
Executive Summary
Inconsistencies in the existing parsers posed difficulties for creating detection rules in the Cybereason XDR platform.
By implementing the Silver parsers, security event logs are standardized, allowing for consistent mapping across security products.
Business Challenge
One of the pain points for Cybereason was the challenge of achieving comprehensive coverage of all possible security events on the Cybereason XDR platform. Although detection rules are already in place that consider important data fields based on data source category, event type, and security category, the major difficulty is covering all possible variations of data fields without compromising detection rules, while also mapping all row log fields to the appropriate Chronicle UDM field.
Inconsistent mapping of similar product categories and log types with different formats poses a significant challenge, causing detection rules to break and leading to missed detections or false positives. Additionally, the traditional parser development approach results in a lengthy development lifecycle that impedes quick customer adoption.
Customer Solution
Crest Data has developed Silver parsers for over 30 products including Microsoft Graph Alert, Cisco Umbrella stack, Crowdstrike EDR, Sophos Firewall, and more. These parsers utilize important MVP (Minimum Valuable Product) data fields that Cybereason has established based on the requirements for their XDR platform. The MVP data fields are used to generate detection rules that parse security event data for valuable information.
The key steps in this process include analyzing security products and their telemetry, defining security context for events, mapping this context with Chronicle UDM events and fields based on Cybereason MVP standards, ensuring consistent mapping across product categories, and developing a parser (.conf file) based on the UDM mapping.
As an example, consider the raw log data ingested from a Sophos Firewall log source and its corresponding normalized UDM event, which is extracted using the Silver parser
The Crest Difference
Expedited customer adoption by shortening the parser development lifecycle
Consistent mapping of UDM data fields across security products enhanced the quality of parsers
Enhanced search and threat detection capabilities achieved by increasing security coverage and minimizing failed logs within the supported log types
Created a mapping sheet for all parsers to serve as a useful reference during the creation, modification, or troubleshooting of detection rules
In addition to security use cases, support has been added for logs that can provide additional context during investigations of detections