From 88034c71921c077a67b1e4379ec52bf3bfbb13ae Mon Sep 17 00:00:00 2001
From: Sean Whalen <44679+seanthegeek@users.noreply.github.com>
Date: Thu, 4 Jun 2026 11:13:03 -0400
Subject: [PATCH] Define CBN up front for new SecOps users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a short, skippable callout explaining what a parser / configuration-based
normalizer (CBN) is and how it fits the SecOps ingest flow (log type → parser →
UDM event), so the README serves newcomers without slowing experienced users.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 google_secops_parser/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/google_secops_parser/README.md b/google_secops_parser/README.md
index bb25f6d..acdd533 100644
--- a/google_secops_parser/README.md
+++ b/google_secops_parser/README.md
@@ -10,6 +10,14 @@ parsedmarc already ships structured JSON over syslog; the DMARC→UDM mapping
 lives here so that a downstream UDM schema change is a parser edit rather than a
 parsedmarc release.
 
+> **New to SecOps parsers?** SecOps ingests a log source by running a *parser*
+> that turns each raw log line into a [Unified Data Model](https://cloud.google.com/chronicle/docs/event-processing/udm-overview)
+> (UDM) event. These parsers are written in a Logstash-style configuration
+> language Google calls a **configuration-based normalizer (CBN)** — the
+> `parsedmarc.conf` in this directory is one. You attach it to a custom *log
+> type*, and SecOps then runs it on every parsedmarc syslog line. Already fluent
+> in CBN? Skip to [Installation](#installation).
+
 ## Status
 
 > [!IMPORTANT]