Skip to main content

User Groups
Events

Create topic
Login

Community Webinar: SecOps Forwarder Deprecation & Open Telemetry Bindplane Use Cases

(Tue, Oct 28, 2:00 PM)

Security Forums

Welcome to the Google Cloud Security Forums! Your ultimate security conversation spot. Collaborate with peers and experts to solve challenges, together.

Google Security Operations

SecOps starts here! Q&A, ask, share, connect.

Google Threat Intelligence

Google Threat Intelligence chat space. Inquire, contribute, pass it on.

Security Command Center

SCC questions? Join in, discuss, solve together.

Security Validation

Security Validation forum: Engage, be curious, stay up to date

reCAPTCHA

reCAPTCHA troubleshooting. Find out the answers together.

Cloud Security Foundation

Join the discussion. Post, diagnose, get the latest.

Recently active
Help others

Google Security Operations

Comparing 400/500 to 200 Responses in Chronicle

Hi,I’m trying to create a Chronicle rule that identifies when the total number of error responses (400 or 500) across my environment is significantly higher than the number of successful responses (200) within a one-week period.Specifically, I want to trigger a detection if the total number of 400/500 responses during the week is at least twice the number of 200 responses — not necessarily from the same IP address.Is it possible to implement this kind of comparison between two response code groups in a single Chronicle rule, and how would you implement this?Also, is it necessarily possible to write Chronicle rules that check over a one-week time window, or are rules limited to 24-hour periods?Thank you!

ar3diuBronze 5

Google Security Operations

Error in GSuite Integration for SOAR

I’m trying to configure the GSuite Integration in SOAR:I have created a service account and granted the SecOps “soar-python” service account access with the Service Account Token Creator. I delegated domain-wide authority to this service account using the client ID and scopes from this guide: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-workspace#search_user_activity_events I also created an admin custom role in GWS Admin Console and assign it to a new user, as described in the guide. I configured the GSuite Integration in SOAR and I’m still getting the following error when using the Test button:```{'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'}```I understand that most of the time, the issue here are the scopes assigned to the Client ID in Admin Console, that’s why I checked them multiple times and made sure they are cor

agar_sNew Member

Google Security Operations

Peer Review process

Hi everyone,I’m currently working on designing and implementing a Peer Review process.I’ve created a scheduled task that runs weekly, and a playbook that is attached to this case.However, I’m struggling to find a way to automatically pull a closed case for an analyst to review — for example, a case related to an attack in Azure — using specific filters.Has anyone implemented something similar or found an efficient way to filter and assign closed cases for peer review?Thanks in advance for your help!Shalev

Chris_BSilver 2

Google Security Operations

How can we filter on recency of content - e.g. searching for 'dashboards' stuff and results include out-of-date content

Is there a way to search the SecOps community content (user threads, KBs, blogs, etc) and use a time filter?I was just trying to lookup some info about making dashboards and found a lot of stuff from last year using the legacy dashboards and was otherwise out of date thx

ORBRBronze 5

Google Security Operations

Line breaks not rendering properly in Microsoft Teams messages

We are testing the action “Send Chat Message” and “Send Message” for case escalation notifications to Microsoft Teams.When composing messages with new lines — using either \n, \r\n, or even manual line breaks (pressing Enter) — the Teams message still appears as a single continuous line, and the literal escape characters (\n or \r\n) are displayed in the message instead of actual line breaks. Is there an officially supported way to send messages from Google SecOps SOAR to Teams with preserved line breaks?

ericv-avaNew Member

Google Security Operations

Seeking advice: Using Chronicle to alert on log ingestion volumes thresholds

I’m currently leveraging curated Dashboard: Data Ingestion and Health to get insight on our daily volume ingestion. I modified a few queries there to make it suitable for our case. It occurred to me to leverage some of these data and create a simple daily/ weekly alert check if we have exceeded our daily ingestion allowance. example:events: $event.ingestion.component = "Ingestion API" //$Log_Type = $event.ingestion.log_type //$Log_Type != "" $date = timestamp.get_date($event.ingestion.end_time)match: $event,$date over 24houtcome: $Total_Size_Bytes = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_volume, 0)) $Total_Logs = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_count, 0))condition: $Total_Size_Bytes >= [removed by moderator] It turns out that the Yara-L rule editor complains the field ingestion does not exits. parsing: getting field descriptors: accessing field "udm.ingestion": field "ingestion" does not exist, valid fi

Google Threat Intelligence

AI Features in Google Threat Intelligence

Artificial Intelligence (AI) is integral to many features within the Google Threat Intelligenceportal. This document consolidates and rephrases existing information, with links to originalsources provided at the beginning of each section. 1.) Gemini is making our Search feature more powerful.2.) Code Insights is creating reports on what malware is attempting to do.3.) Threat Profiles have more insights thanks to the embedded use of AI.Gemini in our Search feature:To simplify search, Gemini in Threat Intelligence redefines search with natural language,allowing users to quickly obtain AI-powered overviews of a topic by asking a naturallanguage question.When you perform a single-term search, such as "what is APT44&quot;, you will receive theGemini search summary.Note: Gemini in Threat Intelligence search currently generates summaries exclusively fromGoogle Threat Intelligence reports, threat actor, malware, and campaign data. The Geminisummary is only displayed when relevant informati

Google Security Operations

Cloud Amor logs to chronicle

Hi, I want to verify that Cloud Armor logs are indeed visible in Chronicle through the Load Balancer logs.From what I understand, Cloud Armor events are included in the external load balancer logs and should appear in Chronicle withevent_type = "NETWORK_CONNECTION". When I filter the logs in secops ingestion, I currently use:OR log_id("loadbalancing.googleapis.com/external_regional_requests")OR log_id("requests") Is this filter sufficient to capture all relevant Cloud Armor activity (such as allowed or blocked requests),or are there additional log_id values that I should include to ensure full coverage of Cloud Armor logs in Chronicle? Thank you!

Kohei1117New Member

Google Security Operations

I want to assign department names to each feed id using a data table

I want to assign a department name to each feed ID using a data table.I want to assign a department name to the Department variable for each feed_id used for import.The data table contains a combination of feed_id and department name for each row. For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".Is this possible?I tried creating the following query, but it didn't work.---------ingestion.log_type = "CISCO_MERAKI"$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")match:$Departmentoutcome:$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)order:$Volume desc---------The error message is as follows:compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argumentIf the above is difficult, is it possible to manually set the department and only compare the feed_id fr

Google Security Operations

Log parsing extension issue on vmware

Log Parsing Issue in Restricted Pipeline (Chronicle/CBN/Logstash) We are encountering persistent syntax and parsing errors in a highly restricted log processing pipeline (likely based on Logstash/Grok, possibly within Google Chronicle or CBN). We need help structuring the code to handle the strict syntax and mixed log types without using advanced conditional logic. 1. Environment and Constraint Environment: Highly restricted log parsing pipeline (cannot use standard Logstash features). Confirmed Constraints (Key Failures): NO if/else conditionals (if [field] fails, if "tag" in [tags] fails). NO semicolons (;) allowed anywhere in the config. Field names must use snake_case (e.g., host_name). 2. The Core Problem: Mixed Log Types Our pipeline receives two distinct log formats that crash the system when we try to parse the second one, or when we encounter simple syntax errors.Log Type Sample Log (Raw) Envoy Access Log (Primary Goal) <166>2025-10-22T14:00:00.095

Google Security Operations

Comparing 400/500 to 200 Responses in Chronicle

Hi,I’m trying to create a Chronicle rule that identifies when the total number of error responses (400 or 500) across my environment is significantly higher than the number of successful responses (200) within a one-week period.Specifically, I want to trigger a detection if the total number of 400/500 responses during the week is at least twice the number of 200 responses — not necessarily from the same IP address.Is it possible to implement this kind of comparison between two response code groups in a single Chronicle rule, and how would you implement this?Also, is it necessarily possible to write Chronicle rules that check over a one-week time window, or are rules limited to 24-hour periods?Thank you!

ar3diuBronze 5

Google Security Operations

Error in GSuite Integration for SOAR

I’m trying to configure the GSuite Integration in SOAR:I have created a service account and granted the SecOps “soar-python” service account access with the Service Account Token Creator. I delegated domain-wide authority to this service account using the client ID and scopes from this guide: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-workspace#search_user_activity_events I also created an admin custom role in GWS Admin Console and assign it to a new user, as described in the guide. I configured the GSuite Integration in SOAR and I’m still getting the following error when using the Test button:```{'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'}```I understand that most of the time, the issue here are the scopes assigned to the Client ID in Admin Console, that’s why I checked them multiple times and made sure they are cor

Chris_BSilver 2

Google Security Operations

How can we filter on recency of content - e.g. searching for 'dashboards' stuff and results include out-of-date content

Is there a way to search the SecOps community content (user threads, KBs, blogs, etc) and use a time filter?I was just trying to lookup some info about making dashboards and found a lot of stuff from last year using the legacy dashboards and was otherwise out of date thx

ORBRBronze 5

Google Security Operations

Line breaks not rendering properly in Microsoft Teams messages

We are testing the action “Send Chat Message” and “Send Message” for case escalation notifications to Microsoft Teams.When composing messages with new lines — using either \n, \r\n, or even manual line breaks (pressing Enter) — the Teams message still appears as a single continuous line, and the literal escape characters (\n or \r\n) are displayed in the message instead of actual line breaks. Is there an officially supported way to send messages from Google SecOps SOAR to Teams with preserved line breaks?

ericv-avaNew Member

Google Security Operations

Seeking advice: Using Chronicle to alert on log ingestion volumes thresholds

I’m currently leveraging curated Dashboard: Data Ingestion and Health to get insight on our daily volume ingestion. I modified a few queries there to make it suitable for our case. It occurred to me to leverage some of these data and create a simple daily/ weekly alert check if we have exceeded our daily ingestion allowance. example:events: $event.ingestion.component = "Ingestion API" //$Log_Type = $event.ingestion.log_type //$Log_Type != "" $date = timestamp.get_date($event.ingestion.end_time)match: $event,$date over 24houtcome: $Total_Size_Bytes = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_volume, 0)) $Total_Logs = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_count, 0))condition: $Total_Size_Bytes >= [removed by moderator] It turns out that the Yara-L rule editor complains the field ingestion does not exits. parsing: getting field descriptors: accessing field "udm.ingestion": field "ingestion" does not exist, valid fi

Kohei1117New Member

Google Security Operations

I want to assign department names to each feed id using a data table

I want to assign a department name to each feed ID using a data table.I want to assign a department name to the Department variable for each feed_id used for import.The data table contains a combination of feed_id and department name for each row. For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".Is this possible?I tried creating the following query, but it didn't work.---------ingestion.log_type = "CISCO_MERAKI"$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")match:$Departmentoutcome:$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)order:$Volume desc---------The error message is as follows:compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argumentIf the above is difficult, is it possible to manually set the department and only compare the feed_id fr

Google Security Operations

Log parsing extension issue on vmware

Log Parsing Issue in Restricted Pipeline (Chronicle/CBN/Logstash) We are encountering persistent syntax and parsing errors in a highly restricted log processing pipeline (likely based on Logstash/Grok, possibly within Google Chronicle or CBN). We need help structuring the code to handle the strict syntax and mixed log types without using advanced conditional logic. 1. Environment and Constraint Environment: Highly restricted log parsing pipeline (cannot use standard Logstash features). Confirmed Constraints (Key Failures): NO if/else conditionals (if [field] fails, if "tag" in [tags] fails). NO semicolons (;) allowed anywhere in the config. Field names must use snake_case (e.g., host_name). 2. The Core Problem: Mixed Log Types Our pipeline receives two distinct log formats that crash the system when we try to parse the second one, or when we encounter simple syntax errors.Log Type Sample Log (Raw) Envoy Access Log (Primary Goal) <166>2025-10-22T14:00:00.095

gshacksNew Member

Cloud Security Foundation

Continuous Firebase Authentication Error in WebApp

I have been trying to deploy and run a simple Firebase Cloud Function. Every attempt fails due to what appears to be a fundamental issue with service account creation and authentication context in my project.Symptoms:When calling the function, the context.auth object is always null or undefined, even when the client sends a valid, verified ID token. The function logs show The function must be called while authenticated. During deployment, I am now receiving the error: Error: Error generating the service identity for pubsub.googleapis.com.We have already verified the following:The project is linked to an active billing account. All necessary APIs are enabled (Cloud Functions, Cloud Build, Run, Artifact Registry, IAM, etc.). We have tried manually adding IAM service accounts and toggling the Cloud Functions API off and on. We have removed all restrictions from the browser API key.The project seems unable to correctly manage its own service identities and pass authentication context to it

random_user123New Member

Google Security Operations

Creating a dashboard for average transition time and average handling time of stages

In the old legacy SOAR dashboard I was able to create widgets which showed me average handling time of stages. For average transition time between stages, I was using the ROI template. However, in the new dashboard I am not able to replicate this. Gemini did not help either. Does anyone has a tip?

ar3diuBronze 5

Google Security Operations

SCCP Toxic Combination Findings in SOAR Cases

For SCCE customers, there’s a a SOAR SCC Enterprise Response Integration that can be used for ingesting Toxic Combination findings and syncing their status. What should I use if I have SCCP and SecOps? I can’t find the SCC Enterprise integration on the Marketplace. I can’t also import it from another instance. A detection rule in SIEM would be the easiest way to go but it looks like a new log is written in SIEM every time the toxic combination finding is updated by SCC engine. Any suggestions?

Unsolved Topics

Can you help?

Comparing 400/500 to 200 Responses in Chronicle

0

Error in GSuite Integration for SOAR

2

Peer Review process

3

How can we filter on recency of content - e.g. searching for 'dashboards' stuff and results include out-of-date content

2

Line breaks not rendering properly in Microsoft Teams messages

1

Community Leaders

The leaderboard is currently empty. Contribute to the community to earn your spot!

The leaderboard is currently empty. Contribute to the community to earn your spot!

Powered by Gainsight

Terms & Conditions Cookie settings Accessibility statement

Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.

Sign up

Already have an account? Login

Login with SSO

or

Username *

E-mail address *

First Name

Last Name

Company *

Job Title

Product of Interest

SecOps Google Threat Intelligence Security Command Center reCAPTCHA Other

Country

Password *

I accept the terms of use

loginBox.register.email_repeat

Login to the community

No account yet? Create an account

Login with SSO

or

Username or Email

Password

Remember me

Forgot password?

Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.

Enter your e-mail address

Back to overview

Scanning file for viruses.

Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.

OK

This file cannot be downloaded

Sorry, our virus scanner detected that this file isn't safe to download.

OK