Define CBN up front for new SecOps users

Add a short, skippable callout explaining what a parser / configuration-based normalizer (CBN) is and how it fits the SecOps ingest flow (log type → parser → UDM event), so the README serves newcomers without slowing experienced users. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 18:59:45 +00:00 · 2026-06-04 11:13:03 -04:00
parent 1c234de9ff
commit 88034c7192
1 changed files with 8 additions and 0 deletions
@@ -10,6 +10,14 @@ parsedmarc already ships structured JSON over syslog; the DMARC→UDM mapping
 lives here so that a downstream UDM schema change is a parser edit rather than a
 parsedmarc release.

+> **New to SecOps parsers?** SecOps ingests a log source by running a *parser*
+> that turns each raw log line into a [Unified Data Model](https://cloud.google.com/chronicle/docs/event-processing/udm-overview)
+> (UDM) event. These parsers are written in a Logstash-style configuration
+> language Google calls a **configuration-based normalizer (CBN)** — the
+> `parsedmarc.conf` in this directory is one. You attach it to a custom *log
+> type*, and SecOps then runs it on every parsedmarc syslog line. Already fluent
+> in CBN? Skip to [Installation](#installation).
+
 ## Status

 > [!IMPORTANT]