Blog | Community

Blog Articles

Recent Posts

New to Google SecOps" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to SIEM or replacing their SIEM with Google SecOps. A core capability for an analyst is having the ability to search all the data that is being collected. We’ve illustrated that Google SecOps users can do this using UDM, the new and improved search interface and now with the addition of pivot . However, analysts may have a need to explore data, or build searches where the values of interest could be the source or the destination, the parent or the child. For analysts who have worked with the same set of data for an extended period, they often know which fields align with specific vendor events, but when a new data set is introduced or a new analyst starts, a learning curve must be started to learn the data and where it is mapped. To address the issue of having to know which field

2154

2 hours ago

jeffhoffmannStaff

Community Blog

Inside the Breach: A Red Team View of Healthcare Security

IntroductionHealthcare data and associated information systems are attractive targets for threat actors, particularly financially-motivated attackers. Cybercriminals often target these systems because they know medical professionals require access to them to care for patients, and healthcare organizations are likely to pay to get systems back online as soon as possible.M-Trends 2025 shows healthcare is a top five most targeted industry, which has been relatively consistent in recent years. Figure one shows Healthcare only 0.2% behind the Government. The healthcare industry can expect even more frequent, targeted attacks as healthcare technology continues to evolve and change.Figure 1: Healthcare remains a highly targeted industryMandiant’s Red Team understands how attackers target the healthcare industry, and replicates and emulates these tactics, techniques, and procedures (TTPs) to ensure healthcare customers are protected against the threats that matter most to them. These TTPs incl

5272

3 days ago

jstonerStaff

Community Blog

New to Google SecOps: Building a Rule To Monitor for Risky Behavior

Over the past month or so, we’ve slowly broadened our use of Google Security Operations (SecOps) rule engine to build composite rules. Today’s blog applies the concepts we’ve covered to date but now we are going to leverage risk calculations from the underlying rules and their detections to generate an alert focused on a user or asset’s activities. Risk Score Let’s start with the risk score. Long time readers of this blog series may recall that we have discussed risk scores in the past. It’s called in the outcome section of a YARA-L rule and can be used with conditional statements to generate a value. We then extended the use of a risk score to Risk Analytics within Google SecOps. What you may not know about risk scores is that because rules could be created without a risk score, rules wouldn’t always have a risk value in them, which makes it a bit difficult to quantify risk. So, in an effort to leverage risk scoring in detections and alerts, we’ve added a default risk score. This defa

2532

6 days ago

cmmartin_googleStaff

Community Blog

Detecting Impossible Travel, with Google SecOps: Part 1

Introduction Imagine a user logging in from New York, then minutes later, accessing files from a server in Tokyo.  Physically impossible? Absolutely. But in the realm of cybersecurity, this "impossible travel" could signal a compromised account or a sophisticated attack. In part 1 of this series, we'll delve into the Impossible Travel use case and demonstrate how to implement detection within Google SecOps. We'll create a custom YARA-L Detection rule, leveraging GeoSpatial functions like math.geo_distance, and make use of SecOps SIEM's native GeoIP enrichment. Then, in part 2, we'll showcase how to present the findings in a clear and actionable Case within SecOps SOAR. Did the user really reach Mach 4, four times the speed of sound?  Read on to find out. What is Impossible Travel? Impossible travel occurs when a user's activity appears to originate from geographically distant locations within an unrealistically short time frame. This often signals compromised credentials, en

49114

6 days ago

MKaganovichStaff

Community Blog

Shadow Agents: A New Era of Shadow AI Risk in the Enterprise

Co-Author: Anton Chuvakin Shortly after gen AI took the world by storm, we noted the emergence of shadow AI in the workplace as well-intentioned employees eagerly took to using consumer-grade gen AI in business situations, often without realizing the security risks such use posed. Following this, gen AI’s swift adoption by the public permeated the enterprise setting, driven by the ardent desire to achieve efficiency and drive innovation. Soon after, we saw the landscape shift and shadow AI re-emerged in a slightly different form - this time, as SaaS enterprise-grade gen AI. This new breed of gen AI possesses enhanced security and privacy controls, but is being used absent proper governance and oversight. Now, AI agents have entered the scene as the latest milestone in the AI maturity curve, taking AI capabilities beyond reactive responses to users’ queries to proactive, goal-oriented task execution. While many agentic AI applications remain conceptual, their potential is evident. For

4631

6 days ago

Crystal_LStaff

Community Blog

Navigating Emerging Threats in the Cloud-Native Software Supply Chain with Cloud Defenses

Remember when supply chain attacks primarily targeted on-premise or hybrid environments? Think SolarWinds in 2020 where SVR-attributed actors injected SUNBURST malware into the Orion build process, impacting thousands of organizations. Or even the Okta support systems breach in 2023, a multi-layered attack of social engineering and token theft that led to a massive customer data exposure.While those were significant, things have changed. Notably, in September 2025, researchers at Palo Alto Networks demonstrated a new AI supply chain attack method called "Model Namespace Reuse" that allows attackers to register names associated with deleted or transferred models on platforms like Hugging Face, enabling them to deploy malicious AI models and achieve arbitrary code execution. The attack was successfully demonstrated against Google's Vertex AI and Microsoft's Azure AI Foundry, and thousands of open-source repositories were found to be susceptible. Today's risk and threat landscape is incre

370

9 days ago

rkneelakandanStaff

Community Blog

Beyond the Algorithm: The Compliant Data Foundation for Life Sciences AI Demands

Co-Author: Bhavana BhinderThe promise of AI in life sciences is immense—accelerating discovery, optimizing manufacturing, and ultimately, improving patient outcomes. But while much of the focus is on powerful models like Gemini, the reality in a regulated environment is simple: your AI is only as trustworthy as the data it’s built upon.For leaders in GxP environments, deploying AI isn't just a technical challenge; it's a compliance imperative. This is a practical guide for building the robust data foundation your AI needs, ensuring you can innovate with confidence on Google Cloud. We’ll show you how to create the auditable, high-integrity data ecosystem required to satisfy regulators like the FDA.It can be helpful to think of security, privacy and compliance of AI systems by looking at the elements that make up typical AI use cases: infrastructure that serves the model and protects the data and applications, data that is used to both fine tune models and complement interactions with mo

1260

9 days ago

sbxStaff

Community Blog

Uncovering Hidden e-Commerce Fraud Patterns with reCAPTCHA

TLDR We're excited to announce two new features for reCAPTCHA Transaction Defense: Explainability and Console Improvements. These enhancements give you more control over transaction risk analysis and greater transparency into the reasoning behind risk scores.Did you know that 71% of organizations are victims of payment fraud attacks? (JP Morgan & AFP Payments Fraud and Control Report) reCAPTCHA Transaction Defense is designed to protect businesses from this evolving threat by providing a risk verdict related to carding and chargebacks at the moment of a transaction. Today, we're making that defense even stronger and more transparent. What's New? We are launching two powerful new features to give you deeper insights and finer control over how you protect your transactions. 1. Transaction Defense Explainability This feature provides clear, concise reasons why a particular transaction is assessed as risky. This "explainability" moves beyond a simple score, allowing you to understand

750

9 days ago

mhmStaff

Community Blog

Building Towards an Agentic SOC: Introducing SecOps Labs

The Agentic SOC isn't a distant goal; it's a journey we are already embarking on with our customers. Building the future of security is a collaborative effort, one that requires a deep partnership with the defenders on the front lines. Our vision for an Agentic SOC involves building specialized AI agents such as the Alert Investigation agent, which is currently in preview, and helping customers build AI agents unique to their environment by supporting tools like an open source Google Security Operations MCP server. With the strong momentum seen for the Alert Investigation agent and Google Security Operations MCP servers, we want to accelerate getting powerful, cutting-edge ideas into the hands of practitioners as early as possible. We’re taking the next step in this journey with SecOps Labs. SecOps Labs provides early access to AI pilots, through a dedicated space within the product for you to test, explore, and influence the next generation of Google Security Operations technologies.

24364

11 days ago

vesselinStaff

Community Blog

Extending Manufacturing Security Operation Center (SOC) on SecOps with Dataflow Data Pipelines

Blog Authors:Vesselin Tzvetkov, Principal Security Engineer Anthony Lazzaro, Strategic Cloud Engineer Canburak Tumer, Strategic Cloud Engineer Security Operations Centers (SOCs) are critical for monitoring and responding to threats, but in manufacturing environments, they face unique hurdles. Manufacturing relies heavily on Operational Technology (OT) systems using diverse, often proprietary or binary protocols to control Programmable Logic Controllers (PLCs) or and other industrial equipment, like for example S7 protocol, Modbus TCP etc. Traditional IT-focused SOCs often lack visibility into this OT world. As IT, OT, Internet of Things (IoT), and Industrial IoT (IIoT) systems become increasingly interconnected, like connected vehicles or smart manufacturing lines, the attack surface expands, making comprehensive security monitoring essential. However, bridging the historical divide between IT and OT security monitoring, especially when dealing with non-standard data formats, remains

2280

14 days ago

Community Blog

Blog Articles

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded