Skip to main content

Table of Contents

 

149417i23B84D54983C5E37.png

134310i0DA766092AA57894.png

Ingestion

Configure Data Ingest

Data Ingest is the core of Google SecOps ingests raw log data, alerts, and other information. Ingested information is normalized and indexed for rapid search, then context enriched with data available from other ingested sources including threat intelligence feeds.

Configuring data ingest is the first step in preparing Google SecOps to correlate security events for your SecOps team. Google’s industry leading SecOps indexing, context enrichment, and search will enable your SecOps analysts to respond rapidly with a comprehensive view of threats and events.

 

134324iB364ADAA36DC129F.png

Install & Configure Forwarders

Google SecOps SIEM forwarder is a software component that runs on a machine or device on your network, such as a server. Google SecOps SIEM forwarder can collect log data and network interface packets and forward that data to your Google SecOps SIEM instance.

 

Steps
  1. To add a new forwarder, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page. 
  2. In the Settings page, users will select Forwarders, that will display the page. 
  3. Users can conduct search for Forwarders in the Search bar.
  4. Users also have the ability to Filter the list of Forwarders by selecting the Filter icon to the left of Create Forwarder.
  5. Users can add a new Forwarder by selecting Add New Forwarder134349iAE8EF32EED27E1FD.png
  6. In the Forwarder Name field, can create a new Forwarder name. 
  7. To further configure, users will expand the Configuration Values section and specify any of the following:
    1. Upload compression
    2. Asset namespace
    3. Label key
    4. Label value
    5. Filter description
    6. Regular expression
    7. Filter behavior
  8. Optional: Toggle Server Settings to configure the forwarder's built-in HTTP server, which can be used to configure load balancing and high availability options for syslog collection on Linux.
  9. Click Submit.
Relevant Documentation Links

 

 

134327i642C001B7C4E01BB.png

Parsers

Google SecOps SIEM forwarder is a software component that runs on a machine or device on your network, such as a server. Google SecOps SIEM forwarder can collect log data and network interface packets and forward that data to your Google SecOps SIEM instance.

 

Steps
  1. To add a new Parser, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page. 
  2. In the Settings page, users will select Parsers, that will display the Parsers page. 
  3. Users can conduct search for Log Types in the Search bar or from the Log Source list. 
  4. Users also have the ability to Filter the list of Parsers by selecting the Filter icon to the left of Create Parser.
  5. Users can add a new Parser by selecting Create Parser134350i0A6878515A94EA29.png
  6. Users will see a Create New Custom Parser popup.
  7. On the Create New Custom Parser popup, users will enter a new Log Source in the Select the Log Source field. 
  8. To further configure a new Custom Parser, users will write a new Code in the Parser Code Terminal for the Parser, and then select Validate by selecting the Validate button.
  9. Users can see the UDM Output in the UDM Output Preview box, to the right of the UDM Output text box, by selecting the Preview button. 
  10. If the UDM Output is correct and final, users will select Validate to create the Parser
  11. The validation process may take a few minutes, so we recommend that you preview the Custom Parser first, make changes if required, and then validate the Custom Parser.
  12. Click Submit.
  13. The Parser is picked for normalization after 20 minutes.
Relevant Documentation Links

 

 

134328i5DA9C38E406A1EF7.png

Create and Manage Feeds

Google SecOps allows to users to create, manage, and troubleshoot feeds using the feed management UI. Managing the feeds includes modifying, enabling, and deleting the feeds. Each data feed has its own set of prerequisites that must be completed prior to setting up the feed in Google SecOps.

 

Steps
  1. To add a feed to your Google SecOps account, complete the following steps. Users can add up to five feeds for each log type.
  2. From the Google SecOps menu, select Settings, SIEM Settings, and then click Feeds. The data feeds listed on this page include all the feeds that Google has configured for your account in addition to the feeds that you have configured.
  3. Click Add New. The Add Feed window is displayed. 134351i571FEE5D4EE03289.png
  4. Add a feed name, by searching the Source type list, select the source type through which users intend to bring data into Google SecOps. Users can select from the following feed source types:
    1. Amazon Data Firehose
    2. Amazon S3
    3. Amazon SQS
    4. Google Cloud Pub/Sub
    5. Google Cloud Storage
    6. HTTP(S) Files (non-API)
    7. Microsoft Azure Blob Storage
    8. Third party API
    9. Webhook
  5. In the Log Type list, select the log type corresponding to the logs that the user wants to ingest. The logs available vary depending on which source type you selected previously. 
  6. Click Next134352i47D12CD3B154896C.png
  7. Review the user’s new feed configuration from the Finalize tab. Click Submit when you are ready. Google SecOps completes a validation check of the new feed. If the feed passes the check, a name is generated for the feed, it is submitted to Google SecOps, and Google SecOps begins to attempt to fetch data.
Relevant Documentation Links

 

 

134329iD9A36336B6BFFAF8.png

Connectors

Google SecOps SOAR uses connectors to ingest alerts from a variety of data sources into the platform. A connector is one of the items in an integration package which can be downloaded through the Google SecOps Marketplace.

 

Prerequisites
  • Users will need to download an Integration that has a Connector in Marketplace.
Steps
  1. To add a new Connector, users will select Settings in the left-side Navigation Bar and then select SOAR Settings, which will display the Settings page. 
  2. In the Settings page, users will select Ingestion dropdown menu and select Connectors in the dropdown menu. 
  3. A Connectors popup page will appear, which will display a Search field to select from options for Connectors. 
  4. Users can also select the Create New Connector button 134353iF2A5526A90804421.png at the top-right of the Connectors popup page. 
  5. An Add Connector popup page will appear, where users can select a from a Connector list in a dropdown menu. 
  6. The option to select a Remote Connector can be selected by clicking the Remote Connector checkbox. 
  7. If no Agents are configured, users can select Install Agent in the Add Connector popup. 
  8. Users will then select Create134354i36748D066080D5DB.png
  9. A New Connector Configuration page will appear. 
  10. In this page, users will be able to configure a New Connector with three tabs, consisting of the following input pages:
    1. A New Connector Configuration page will appear.
    2. In this page, users will be able to configure a New Connector with three tabs, consisting of the following input pages:
  11.  When complete, users will select Save.
  12. If users need to add a Domain, they will navigate to the Settings > SOAR Settings > Environments > Domains.
  13. Users will click the Add button on the top right of the Domains page. 
  14. Enter the Domain and Environment into the Add Domain  popup .
  15. When complete users will select Add.
  16. When complete, users will select Save.
  17. If users need to add a Domain, they will navigate to the Settings > SOAR Settings > Environments > Domains.
  18. Users will click the Add button on the top right of the Domains page. 
  19. Enter the Domain and Environment into the Add Domain  popup .
  20. When complete users will select Add.
    1. Name
    2. CIDR Format
    3. Priority level
    4. Environment
  21. When complete users will select Add.
Relevant Documentation Links

https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/define-domains-for-mssps

https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/manage-networks

 

 

Utilize SecOps Marketplace

The Google SecOps Marketplace offers a central hub where you can access a wealth of pre-built integrations, community-developed playbooks, and powerful analytics – all designed to streamline your Security Operations Center (SOC) workflows and supercharge your incident response.

The Marketplace empowers you to seamlessly connect Google SecOps with leading security tools, automate repetitive tasks with pre-built playbooks, and gain invaluable insights from comprehensive dashboards. This collaborative environment fosters innovation, saves valuable time, and allows your SOC team to focus on what matters most – effectively combating cyber threats.

Prerequisites
  • Entitlement for Google SecOps on the account and project.
  • Administrative access to Google SecOps.
  • Administrative access for any 3rd party applications that are intended to be connected to Google SecOps

134330iD14A6330816F25F3.png

Marketplace Use-Cases

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

 

Steps
  1. To begin, users will go to the left-side Navigation Bar and then select Marketplace, which will display the Google SecOps Marketplace page.
  2. Users will also see three tabs to select from, consisting of:
    1. Use Cases
    2. Integrations
    3. Power Ups
  3. Users will select the Use Cases tab, which will display many pre-defined Use Cases at the bottom of the page.
  4. In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Use Cases.
  5. Users will have the option to Filter the category types of Use Cases they want to display at the center of the page.
  6. These categories consist of:
    1. Malware
    2. Endpoint
    3. Threat Hunting
    4. Investigation
    5. Threat Intelligence
    6. Insider Threat
    7. …and more
  7. To the right of Filters is a Use Case Option menu, which will give the user a choice to: 134355i80E818D0B8A0CBF3.png
    1. Create New Use Case 
    2. Export Use Case
    3. Refresh
  8. For SCCE version of SecOps, Create New Use Case may not be available.
  9. A popup window will appear, which will display the Use Case with five steps:
    1. Use Case Information
    2. Use Case Items
    3. Install Use Case Items
    4. Configure Integrations
    5. Run Use Case
  10. Typically the Use Case Information section will display a video from Google SecOps that will give users a basic overview with and step-by-step instructions on how to install and run the Use Case.
  11. On the same page, users will see a description and three to four dropdowns that will display:
    1. Playbooks
    2. Integrations
    3. Test Cases
    4. Connectors
  12. Users will select Next.
  13. Users will see the Use Case Items page, that will show Install Use Case Items at the top of the page. Here users will be able to:
    1. Install Integrations
    2. Install Playbooks
    3. Install Simulation Cases
  14. Users will have a Search function in section and an option to Override existing Ontology.
  15. Users will select Install to Install the Use Case items. Once the Installation is completed, it will display Installation Completed, with all of the Integrations, Playbooks, and Simulation Cases installed.  Then select Next.
  16. Users will see the Configure Integrations page, listing all of the Integrations. Each Integration will have the following fields to Configure:
    1. Instance
    2. Environment
    3. Instance Name
    4. Description
    5. Parameters
    6. API Key
    7. Verify SSL
  17. Users will then have the option to Test and Save each Integration.
  18. When complete, users will select Next.
  19. In the Run Use Case page, users will see an option to Select Alert for Simulation by selecting the checkbox next to the Use Case and select Next.
  20.  Once selected users will see a Congratulations message and the Next Steps to:
    1. Simulate More Alerts
    2. To Connect Your Data
    3. Connect your Remote Environment
  21. Users will select Finish.
Relevant Documentation Links
Use Case Example
  1. Here is an example of how to install and configure the Use Case“SCC Enterprise - Cloud Orchestration & Remediation”:
  2. Users will select the Marketplace on the left Navigation Bar
  3. Select Use Case tab on the Google Marketplace page. 
  4. In the pre-defined Use Cases below, select from the Community-version SCC Enterprise - Cloud Orchestration & Remediationand click Install134356i5BEE2C345C8E6C7D.png
  5. Watch the Guide Video (If available) in the Use Case Information section, users will see the Playbooks, Integrations, Test Cases, and Connectors associated with the Use Case, and select Next.134357i97D100F17FA6CDA5.png
  6. In the Use Case Items section, users will see the Integrations, Playbooks, and Simulations Cases that will be Installed. If there is a conflict with an existing Ontology, and the user chooses to Override, they will select the box next to Override Existing Ontology. Once complete, users will then select Install.134358iDAAAA4ADBC3A4EE9.png
  7. Once Installed, users will see that their Installation is complete, and will select Next.134360iB111E93E2ED99DFF.png
  8. Once users Configure their Integration, they can Test and Save the Configuration, then select Next.134361iF4AEB526E0AAED52.png
  9. In the Run Use Case section, users will select the Alert for Simulation, by selecting the checkbox next to the Use Case, then select Next.134362iAB1ACF96866873EC.png
  10. In the final step, once the Use Case is deployed, users will see instructions on Next Steps and how to navigate to the Cases screen to see the simulations in action. Once done, select Finish.134363i315260BD70146B83.png

 

 

134331i2E6AEC8EFB793487.png

Marketplace Integrations

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

 

Steps
  1. To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page. 
  2. Users will also see three tabs to select from, consisting of:
    1. Use Cases
    2. Integrations
    3. Power Ups
  3. In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Integrations.
  4. Users will select Integrations, which will display many pre-defined Integrations at the bottom of the page.
  5. Users will have the option to Filter the category types of Integrations they want to display at the center of the page. 134364i57B299D820297306.png
  6. These categories consist of:
    1. Security
    2. Threat Intelligence
    3. IT & Infrastructure
    4. Access Management
    5. IAM
    6. …and more
  7. At the top of the page are two dropdown menus:
    1. Type
    2. Status
  8. In the Type menu, users can select from the following Integrations:
    1. All Integrations
    2. Google SecOps Integrations
    3. Published by Community
    4. Custom Integrations
  9. In the Status menu, users can select Integrations that are:
    1. Installed
    2. Not Installed
    3. Available Upgrade
  10. Users can read the Details of each Integration by selecting the Details button.
Relevant Documentation Links

 

 

134332iA0D4A72AD04018BA.png

Marketplace Power-Ups

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

 

Steps
  1. To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page. 
  2. Users will also see three tabs to select from, consisting of:
    1. Use Cases
    2. Integrations
    3. Power Ups
  3. In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Power Ups.
  4. Users will select Power Ups, which will display many pre-defined Power Ups at the bottom of the page.
  5. Users will have the option to filter the list of Power Ups by selecting by Status, using the following options:
    1. Installed
    2. Not Installed
    3. Available Upgrade
  6. Users can read the Details of each Power Up by selecting the Details button.
Relevant Documentation Links

 

 

Next Step: Security Command Center Enterprise: Step 4.1.3 - Remediation | Google SecOps | Detection

Previous Step: Security Command Center Enterprise: Step 4.1.1 - Remediation | Google SecOps | Administration 

Be the first to reply!
Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.