Skip to main content

Hello Team or esteemed members,

Do we have any recommended best practices from Google or your own recommendations for Google SecOps (SIEM and SOAR)? There is a link in the community for Chronicle Best Practices (https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/tkb-p/chronicle-best-practices), but it seems to be more focused on operational aspects and limited to specific topics such as Yara-L function, regex and query.

I am looking for best practices for Chronicle SIEM and SOAR that encompass tool configuration best practices and recommendations for establishing a mature Google SecOps setup.

For example, best practices could include:
- Managing user access - Defining RBAC roles
- Managing log retention - Strategies for managing log retention for more than 12 months
- Health monitoring
- How to track log ingestion and log optimization best practices specific to Chronicle, and so on.

I can help with a couple of those.

Managing log retention - Strategies for managing log retention for more than 12 months

Normally the best way to manage log retention for more than 12 months is to leverage GCP to do so, I would recommend Cloud Storage as its a cost effective solution, plus you can leverage BigQuery if you wish to do some further analysis.

How to track log ingestion and log optimization best practices specific to Chronicle, and so on.

The recommended way to track ingestion metrics and health related metrics is to leverage GCP as well, but in this case Monitoring, where you can create dashboards to monitor your forwarder/ingestion health.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.