Hello,

I need to develop some code to that will export the characteristics of servers and various network elements to Chronicle SIEM as entities so it can use the information to enrich events (and later for use with Chronical SOAR). I'm told that normally this is done by interfacing with Active Directory or some sort of EDR solution, but that's not an option, so we have to roll our own, and it's proving difficult because there seems to be no concise documentation for entity processing.

What I have now is software on our side that generates JSON documents with a structure that tries to be compliant with the Entity documentation, but it's proving difficult. So two questions to begin with:

(1) Is there somewhere I could find examples of the JSON documents produced by other solutions (like AD or EDR products) for ingestion into Chronicle? I don't mean on the AD/EDR side but rather the final JSON that is ready to be ingested.

(2) Is there documentation on the Chronicle-side parser to actually ingest such documents?

It seems like there must be such documentation to support the people who did this for AD/EDR, but I have not been able to find it. Any hints?

Thanks!