Community Webinar: SecOps Forwarder Deprecation & Open Telemetry Bindplane Use Cases
Ask questions, get answers and engage with your peers
We are testing the action “Send Chat Message” and “Send Message” for case escalation notifications to Microsoft Teams.When composing messages with new lines — using either \n, \r\n, or even manual line breaks (pressing Enter) — the Teams message still appears as a single continuous line, and the literal escape characters (\n or \r\n) are displayed in the message instead of actual line breaks. Is there an officially supported way to send messages from Google SecOps SOAR to Teams with preserved line breaks?
I’m currently leveraging curated Dashboard: Data Ingestion and Health to get insight on our daily volume ingestion. I modified a few queries there to make it suitable for our case. It occurred to me to leverage some of these data and create a simple daily/ weekly alert check if we have exceeded our daily ingestion allowance. example:events: $event.ingestion.component = "Ingestion API" //$Log_Type = $event.ingestion.log_type //$Log_Type != "" $date = timestamp.get_date($event.ingestion.end_time)match: $event,$date over 24houtcome: $Total_Size_Bytes = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_volume, 0)) $Total_Logs = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_count, 0))condition: $Total_Size_Bytes >= [removed by moderator] It turns out that the Yara-L rule editor complains the field ingestion does not exits. parsing: getting field descriptors: accessing field "udm.ingestion": field "ingestion" does not exist, valid fi
Hello, Security Community!We have some exciting news to share: Google has been named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM! In our second year of participation, we’ve been positioned in the Leaders quadrant, which can be attributed to our "Ability to Execute" and "Completeness of Vision." We're especially proud that Gartner recognized our vision as the furthest to the right among all vendors.Most importantly, none of this would be possible without your continued support and collaboration. You are at the heart of our innovation. Thank you for being a part of this journey!Access your complimentary copy of the report and read the full blog post. Source: The 2025 Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, 8, October, 2025 GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates an
Artificial Intelligence (AI) is integral to many features within the Google Threat Intelligenceportal. This document consolidates and rephrases existing information, with links to originalsources provided at the beginning of each section. 1.) Gemini is making our Search feature more powerful.2.) Code Insights is creating reports on what malware is attempting to do.3.) Threat Profiles have more insights thanks to the embedded use of AI.Gemini in our Search feature:To simplify search, Gemini in Threat Intelligence redefines search with natural language,allowing users to quickly obtain AI-powered overviews of a topic by asking a naturallanguage question.When you perform a single-term search, such as "what is APT44", you will receive theGemini search summary.Note: Gemini in Threat Intelligence search currently generates summaries exclusively fromGoogle Threat Intelligence reports, threat actor, malware, and campaign data. The Geminisummary is only displayed when relevant informati
Hi, I want to verify that Cloud Armor logs are indeed visible in Chronicle through the Load Balancer logs.From what I understand, Cloud Armor events are included in the external load balancer logs and should appear in Chronicle withevent_type = "NETWORK_CONNECTION". When I filter the logs in secops ingestion, I currently use:OR log_id("loadbalancing.googleapis.com/external_regional_requests")OR log_id("requests") Is this filter sufficient to capture all relevant Cloud Armor activity (such as allowed or blocked requests),or are there additional log_id values that I should include to ensure full coverage of Cloud Armor logs in Chronicle? Thank you!
I want to assign a department name to each feed ID using a data table.I want to assign a department name to the Department variable for each feed_id used for import.The data table contains a combination of feed_id and department name for each row. For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".Is this possible?I tried creating the following query, but it didn't work.---------ingestion.log_type = "CISCO_MERAKI"$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")match:$Departmentoutcome:$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)order:$Volume desc---------The error message is as follows:compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argumentIf the above is difficult, is it possible to manually set the department and only compare the feed_id fr
Log Parsing Issue in Restricted Pipeline (Chronicle/CBN/Logstash) We are encountering persistent syntax and parsing errors in a highly restricted log processing pipeline (likely based on Logstash/Grok, possibly within Google Chronicle or CBN). We need help structuring the code to handle the strict syntax and mixed log types without using advanced conditional logic. 1. Environment and Constraint Environment: Highly restricted log parsing pipeline (cannot use standard Logstash features). Confirmed Constraints (Key Failures): NO if/else conditionals (if [field] fails, if "tag" in [tags] fails). NO semicolons (;) allowed anywhere in the config. Field names must use snake_case (e.g., host_name). 2. The Core Problem: Mixed Log Types Our pipeline receives two distinct log formats that crash the system when we try to parse the second one, or when we encounter simple syntax errors.Log Type Sample Log (Raw) Envoy Access Log (Primary Goal) <166>2025-10-22T14:00:00.095
I have been trying to deploy and run a simple Firebase Cloud Function. Every attempt fails due to what appears to be a fundamental issue with service account creation and authentication context in my project.Symptoms:When calling the function, the context.auth object is always null or undefined, even when the client sends a valid, verified ID token. The function logs show The function must be called while authenticated. During deployment, I am now receiving the error: Error: Error generating the service identity for pubsub.googleapis.com.We have already verified the following:The project is linked to an active billing account. All necessary APIs are enabled (Cloud Functions, Cloud Build, Run, Artifact Registry, IAM, etc.). We have tried manually adding IAM service accounts and toggling the Cloud Functions API off and on. We have removed all restrictions from the browser API key.The project seems unable to correctly manage its own service identities and pass authentication context to it
In the old legacy SOAR dashboard I was able to create widgets which showed me average handling time of stages. For average transition time between stages, I was using the ROI template. However, in the new dashboard I am not able to replicate this. Gemini did not help either. Does anyone has a tip?
Dear sirWe’re writing to inform you that all Google reCAPTCHA keys will need to be migrated to a Google Cloud project by the end of 2025. This will unite all reCAPTCHA customers under a single set of terms, a consistent pricing structure, and provide access to advanced security features.We’ve provided additional information below to guide you through this change.What you need to doWe will apply the change in phases throughout the year, reaching out again by email when your keys become eligible. At that time, we will automatically create a Google Cloud project for you and associate your keys to it.However, we recommend that you get ahead of this process by following these instructions to manually migrate from reCAPTCHA Classic. This way you will be able to prescribe exactly which Google Cloud project you’ll associate with your key. Once you complete this process, the following features will be enabled immediately via Google Cloud console:Enterprise-grade dashboa
For SCCE customers, there’s a a SOAR SCC Enterprise Response Integration that can be used for ingesting Toxic Combination findings and syncing their status. What should I use if I have SCCP and SecOps? I can’t find the SCC Enterprise integration on the Marketplace. I can’t also import it from another instance. A detection rule in SIEM would be the easiest way to go but it looks like a new log is written in SIEM every time the toxic combination finding is updated by SCC engine. Any suggestions?
How can I track month over month stats in my dashboard? Would a multi stage query work for this? For example, how would I take the curated dashboard query:$event.ingestion.component = "Ingestion API"$Log_Type = $event.ingestion.log_type$Log_Type != ""match: $Log_Typeoutcome: $Count = sum($event.ingestion.log_volume)order: $Count desclimit: 50 and modify it to return stats for each log type - one that looks at current 30 days and one the 30 days before that and calcs the difference?
I’m trying to configure the GSuite Integration in SOAR:I have created a service account and granted the SecOps “soar-python” service account access with the Service Account Token Creator. I delegated domain-wide authority to this service account using the client ID and scopes from this guide: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-workspace#search_user_activity_events I also created an admin custom role in GWS Admin Console and assign it to a new user, as described in the guide. I configured the GSuite Integration in SOAR and I’m still getting the following error when using the Test button:```{'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'}```I understand that most of the time, the issue here are the scopes assigned to the Client ID in Admin Console, that’s why I checked them multiple times and made sure they are cor
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
