Welcome to the Google Cloud Security Community!

Test Rule not matching UDM Search results

Hi there,I am testing a detection rule with Zscaler, specifically trying to detect “malicious download” behaviors.I have a simple single event query which returns results when ran in UDM search: $e.metadata.vendor_name = "Zscaler"$e.metadata.log_type

452

11 minutes ago

marcus_aureliusBronze 1

Defender for Endpoint Containers

Hello,Setting up a feed integration for Defender for Endpoint following the google docs page found here. When we get to the Azure URI (https://somethingstorage.blob.core.windows.net) can we setup a wildcard here or do we need to create a feed for eac

10

55 minutes ago

TJAStaff

Community Blog

Agentic Threat Intelligence: Your security team just grew

How many browser tabs do you have open right now? If you’re a threat analyst or security practitioner, the answer is likely “too many.” Your day is a constant race to connect disparate dots—sifting through lengthy threat reports, parsing OSINT articl

15001

1 hour ago

jrrutlandNew Member

Increased false positive rates being observed

Hey y’all!As of yesterday, I have been seeing a incredibly high false positive rate (blocking 100% of legitimate users in my testing). Specifically, this is impacting my iOS Web Views, which have a custom user agent string. This is not impacting my A

The Google Security Operations Feature Roundup: Advancing AI, Analytics, and Data Infrastructure

3 hours ago

lkirkmanStaff

News & Announcements

Google Security Operations (SecOps) continues to push the boundaries of innovation, focusing on deep integration and intelligent automation. Our recently released features are designed to reduce noise, accelerate investigations, and ensure your secur

320

6 hours ago

komajaroNew Member

Data table event enrichment (inner vs left vs outer)

Hello,Is there a way to influcence the type of join operation when using data tables ?Previously, when working with splunk there was an option to pick one of 3 choices: inner, outer or left.When working with data tables in secops I see that it behave

151

9 hours ago

BernaldoBronze 1

Alert no ingestion from feeds

Hi,I’m triying to create an alert that indicates when there’s a lack of logs from a feed source. Basically my idea was:rule DEV_FEED_LACK_OF_DATA { meta: author = description = severity = "Critical" events: $e.metadata.log_type = "Off

263

11 hours ago

pranay_makNew Member

Delay in Entity Visibility

I created a entity parser and ingested entities. The Ingested logs appear immediately in Raw Log Search, but the corresponding entities only become visible in UDM Search and Native Dashboards after almost a full day. I ensured that timestamp fie

13 hours ago

DaisukeBPMNew Member

reCAPTCHA Classic still showing "Migrate keys" after successful migration to GCP

Hi,I have successfully migrated my reCAPTCHA keys to Google Cloud Platform, but the reCAPTCHA Classic console still displays the "Migrate keys" message. I would like to confirm whether any additional action is needed on my end.Current situation:- GCP

190

22 hours ago

_K_OBronze 5

Has Anyone Migrated from Forwarders to Bindplane?

Hi All, With the Google SecOps Forwarder being deprecated next year (https://docs.bindplane.com/how-to-guides/google-secops/migrating-from-the-deprecated-google-chronicle-forwarder) has anyone here started / completed the migration? My team and I ar

100

EP0New Member

Test Rule not matching UDM Search results

Hi there,I am testing a detection rule with Zscaler, specifically trying to detect “malicious download” behaviors.I have a simple single event query which returns results when ran in UDM search: $e.metadata.vendor_name = "Zscaler"$e.metadata.log_type

452

11 minutes ago

marcus_aureliusBronze 1

Defender for Endpoint Containers

Hello,Setting up a feed integration for Defender for Endpoint following the google docs page found here. When we get to the Azure URI (https://somethingstorage.blob.core.windows.net) can we setup a wildcard here or do we need to create a feed for eac

10

55 minutes ago

jrrutlandNew Member

Increased false positive rates being observed

Hey y’all!As of yesterday, I have been seeing a incredibly high false positive rate (blocking 100% of legitimate users in my testing). Specifically, this is impacting my iOS Web Views, which have a custom user agent string. This is not impacting my A

3 hours ago

komajaroNew Member

Data table event enrichment (inner vs left vs outer)

Hello,Is there a way to influcence the type of join operation when using data tables ?Previously, when working with splunk there was an option to pick one of 3 choices: inner, outer or left.When working with data tables in secops I see that it behave

151

9 hours ago

pranay_makNew Member

Delay in Entity Visibility

I created a entity parser and ingested entities. The Ingested logs appear immediately in Raw Log Search, but the corresponding entities only become visible in UDM Search and Native Dashboards after almost a full day. I ensured that timestamp fie

13 hours ago

DaisukeBPMNew Member

reCAPTCHA Classic still showing "Migrate keys" after successful migration to GCP

Hi,I have successfully migrated my reCAPTCHA keys to Google Cloud Platform, but the reCAPTCHA Classic console still displays the "Migrate keys" message. I would like to confirm whether any additional action is needed on my end.Current situation:- GCP

190

22 hours ago

chronicleDDsrBronze 3

events exclusions in detection rule

Hi team,We are working on a session hijacking case on slack log source and focusing on series of event where $ip is more than or equal to 2 which seems to be working with current rule we haveWe are looking for a starting point to filter out events of

141

nelsos.torresNew Member

Best Practice: BindPlane Agent Integration for Linux Servers - Optimal LogType Selection

I need guidance on the optimal integration approach for ingesting Linux server logs into Google SecOps/Chronicle using the BindPlane agent.Specific Questions:1. Recommended LogType for Linux Systems - What is the most appropriate log_type for gener

291

Cloud Security Foundation

begerNew Member

!urgent help, My Project (id: bionic-xxxx) is being suspended for repeatedly violating our Google Cloud Platform Terms of Service

in my project show this message “My Project (id: bionic-xxxx) is being suspended for repeatedly violating our Google Cloud Platform Terms of Service or Acceptable Use Policy (including Terms of Service of the Google API you may be using). “ and I can

20

ORBRSilver 1

Google SOAR - Retrieve playbook action results via API

HI everyone, I’m trying to find a documentation of the SOAR api, but I’m unable to find an API that lets me retrieve playbook results per alert.I want to be able to retrieve the data from query enrichments that I’ve created. Has anyone been successfu

637