Is there a way to filter the workspace logs and reduce it before sending it to secops ?
It is consuming too much storage of the tenant storage limit.
Filter Workspace Logs
+5
+10If using direct ingestion, today no filtering option but you can use feed to ingest, see below:
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Note: Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.
However, you can still use these other feed methods to ingest subsets of Google Workspace data, for example, to ingest WORKSPACE_USERS and WORKSPACE_GROUPS into your Google SecOps instance. For more information, see Configure a feed in Google SecOps to ingest Google Workspace logs.
+5If using direct ingestion, today no filtering option but you can use feed to ingest, see below:
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Note: Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.
However, you can still use these other feed methods to ingest subsets of Google Workspace data, for example, to ingest WORKSPACE_USERS and WORKSPACE_GROUPS into your Google SecOps instance. For more information, see Configure a feed in Google SecOps to ingest Google Workspace logs.
@hzmndt
I am looking to filter logs for WORKSPACE_ACTIVITY
I am currently using feed but it does not have option to remove any workspace log evetns.
Is there a option like removing specific log events before sending it to secops , like we do in GCP Log Export filter ?
+1If using direct ingestion, today no filtering option but you can use feed to ingest, see below:
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Note: Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.
However, you can still use these other feed methods to ingest subsets of Google Workspace data, for example, to ingest WORKSPACE_USERS and WORKSPACE_GROUPS into your Google SecOps instance. For more information, see Configure a feed in Google SecOps to ingest Google Workspace logs.
@hzmndt
I am looking to filter logs for WORKSPACE_ACTIVITY
I am currently using feed but it does not have option to remove any workspace log evetns.
Is there a option like removing specific log events before sending it to secops , like we do in GCP Log Export filter ?
Hey, Im having the same issue as you, where i’d like to filter like in GCP log export filter but havent found any information on whether this can be done to the direct ingestion filter. were you able to find anything else on this topic?
thanks!
+11Data Processing Pipelines (https://docs.cloud.google.com/chronicle/docs/ingestion/data-processing-pipeline?hl=en) could be used for filtering. This is a new feature coming to preview, I would recommend reaching out to your account team for more info.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.