What Changed
Two new ASIM AlertEvent parsers have been added for Google SecOps:
- ASimAlertEventGoogleSecOps – the unfiltered, schema-normalising parser (union participant)
- vimAlertEventGoogleSecOps – the filtering variant accepting disabled and pack parameters
Both parsers are registered into the umbrella ASimAlertEvent and imAlertEvent union parsers (version bumped 0.1.5 to 0.1.6), so _ASim_AlertEvent_GoogleSecOps is automatically included in all schema-wide queries. The parser can be excluded via the ExcludeASimAlertEventGoogleSecOps entry in the DisabledParsers watchlist.
Parser Impact
Source table: DetectionAlerts_CL (custom table populated by the Google SecOps connector)
Schema normalised: ASIM AlertEvent v0.1
Key field mappings of note for detection engineers:
| ASIM Field | Source |
|---|---|
| EventSeverity | detection.severity lookup (CRITICAL/HIGH to High, MEDIUM to Medium, LOW to Low, INFORMATIONAL/INFO to Informational) |
| EventSubType | DetectionType lookup (RULE_DETECTION/GCTI_FINDING to Threat, JOB_DETECTION to Suspicious Activity) |
| DetectionMethod | DetectionType lookup (RULE_DETECTION to Behavioral Analytics, GCTI_FINDING to Threat Intelligence, JOB_DETECTION to Automated Investigation) |
| AlertStatus | alertState: ALERTING to Active, else Closed |
| AlertVerdict | threatVerdict: MALICIOUS/SUSPICIOUS to True Positive, BENIGN to Benign Positive |
| ThreatCategory | String-match on threat.category to Malware/Ransomware/Trojan/Phishing etc. |
| AttackTactics / AttackTechniques | Extracted from ruleLabels where key = mitre_attack_tactic / mitre_attack_technique |
| DvcIpAddr | Coalesced from variables.principal_ip, source_ip, or correlation_ip |
| Username | Coalesced from variables.principal_user_userid, source_user_userid, or user |
MITRE tactic/technique values are pulled dynamically from Google SecOps rule labels – no static mapping; the parser surfaces whatever MITRE context the originating GCTI/RULE_DETECTION carries.
The pack=true mode bags raw fields (ruleId, ruleVersion, ruleLabels, detectionFields, outcomes, variables, detectionTimingDetails, latencyMetrics) into AdditionalFields for enriched hunting.
Prior to this PR, any deployment ingesting Google SecOps detection alerts into DetectionAlerts_CL had no ASIM normalisation path – schema-wide imAlertEvent queries returned no Google SecOps rows.
Affected Files
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventGoogleSecOps/ASimAlertEventGoogleSecOps.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventGoogleSecOps/README.md
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
Parsers/ASimAlertEvent/ARM/vimAlertEventGoogleSecOps/README.md
Parsers/ASimAlertEvent/ARM/vimAlertEventGoogleSecOps/vimAlertEventGoogleSecOps.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventGoogleSecOps.md
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventGoogleSecOps.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/ASimAlertEventGoogleSecOps.yaml
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleSecOps.yaml
Parsers/ASimAlertEvent/Tests/GoogleSecOps_ASimAlertEvent_ASimDataTester.csv
Parsers/ASimAlertEvent/Tests/GoogleSecOps_ASimAlertEvent_ASimSchemaTester.csv
Parsers/ASimAlertEvent/Tests/GoogleSecOps_vimAlertEvent_ASimDataTester.csv
Parsers/ASimAlertEvent/Tests/GoogleSecOps_vimAlertEvent_ASimSchemaTester.csv
Sample Data/ASIM/Google_GoogleSecOps_AlertEvent_IngestedLogs.csv