Skip to main content
Question

Health‑ISAC → Chronicle (Google SecOps) Indicator Ingestion: Missing Indicators in UI / UDM

  • February 25, 2026
  • 1 reply
  • 23 views
ananthu007

We recently deployed an automated Health‑ISAC → Google SecOps (Chronicle) ingestion pipeline using the following components:

  • Health‑ISAC STIX/TAXII 2.1 collections
  • Cloud Run (Python 3.9) for TAXII polling, indicator transformation, and Chronicle ingestion
  • Cloud Scheduler (cron: */60 * * * *)
  • Secret Manager for Chronicle API Auth JSON + HITS_PASSWORD
  • Terraform for provisioning (Cloud Run, Scheduler, IAM, WIF)

The ingestion pipeline successfully executes every hour, Chronicle returns success response codes, and indicators are visible in the GCS export logs.

Issue

While ingestion logs/reporting confirm indicators are successfully pushed to Chronicle, indicators do not appear in the Chronicle UI:

  • They are visible in Cloud Logging + GCS export
  • Chronicle ingest API responds with 200
  • But the same indicators cannot be found in Chronicle (IOC Search, Entity Search, IOC Feed UI, or via UDM Search)

1 reply

Rob_P
Staff
Forum|alt.badge.img+8
  • Rob_P
  • Staff
  • February 25, 2026

Hello ​@ananthu007 

Thanks for reaching out on this issue.  Are you able to do a raw log search in SecOps to see if you can find the data that way?  We do have support for parsing STIX Data as shown on this page below, but if you can validate the data is being ingested using a raw log search that may help.  Are there a few unique indicators in that STIX feed which you could try to search for using 

raw = "example.com"

https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/stix-changelog

If we can see the raw logs in there then this may be a Parser issue.  

Let us know what you find with Raw Log Search. 

Thanks,

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.