Is there a way to filter the workspace logs and reduce it before sending it to secops ?
It is consuming too much storage of the tenant storage limit.
Page 1 / 1
If using direct ingestion, today no filtering option but you can use feed to ingest, see below:
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Note: Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.
However, you can still use these other feed methods to ingest subsets of Google Workspace data, for example, to ingest WORKSPACE_USERS and WORKSPACE_GROUPS into your Google SecOps instance. For more information, see Configure a feed in Google SecOps to ingest Google Workspace logs.
If using direct ingestion, today no filtering option but you can use feed to ingest, see below:
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Note: Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.
However, you can still use these other feed methods to ingest subsets of Google Workspace data, for example, to ingest WORKSPACE_USERS and WORKSPACE_GROUPS into your Google SecOps instance. For more information, see Configure a feed in Google SecOps to ingest Google Workspace logs.
@hzmndt
I am looking to filter logs for WORKSPACE_ACTIVITY
I am currently using feed but it does not have option to remove any workspace log evetns.
Is there a option like removing specific log events before sending it to secops , like we do in GCP Log Export filter ?
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.