Question

ingest gcp monitoring alerts to secops via pubsub push

Forum|Forum|4 months ago
January 21, 2026
3 replies
152 views

+9

NASEEF
Silver 2

Hello team,

I’m trying to ingest GCP Monitoring alerts into SecOps using a Pub/Sub push subscription. To do this, I created an alert policy for “agent goes silent” and configured a notification channel using a Pub/Sub topic. That topic is attached to a push subscription that forwards events to the endpoint.

I am receiving email notifications (since email is also configured in the notification channel along with the pubsub topic), but the alerts are not being pushed to SecOps from the Pub/Sub topic.

I have given the pubsub publisher permission to the topic
My alerts are not getting acknowledged by secops endpoint

Is there any documentation I can refer to for correctly pushing GCP Monitoring alerts to SecOps?

+9

Eoved
Bronze 3
Forum|Forum|4 months ago
January 21, 2026

I know one way to do it is to create a webhook on the SOAR side and integrate between the systems.
See the following document:
https://docs.cloud.google.com/chronicle/docs/soar/ingest/webhooks/setting-up-a-webhook

Like

secops_maneesh
New Member
Forum|Forum|4 months ago
February 6, 2026

Hi @NASEEF , are you seeing alerts in your pub sub?

I am also trying the same but i cant see generated alerts in my pub sub .

Like

RL01
New Member
Forum|Forum|1 month ago
May 13, 2026

Hi @NASEEF,

you have to create a push subscription.
On SecOps site you create a feed with source type “Google Cloud Pub/Sub Push” and log type “GCP Cloud Audit”. Create some namespace to find your alerting logs.
Use the feed endpoint url in the push subscription. Enable Authentication and take a service account that is specially for ingesting logs. For the service account you can create a custom role only with this permission “chronicle.logs.import”.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded