Skip to main content

Security Operations: Step 1.2 - Administration | Admin Setup

  • October 31, 2024
  • 0 replies
  • 488 views
Digital-Customer-Excellence
Staff
Forum|alt.badge.img+7

Table of Contents

 

129272i44D96B6D4059FC18.png

Google SecOps has many options and support capabilities to assist your organization in creating and managing features and functionality.

 

Actions

129273iAA36430609E70A73.png
Access and Support

At times, the only way to troubleshoot problems on the customer's platform is to allow Google Support to create a user to access your instance.

 


Steps
  1. To begin users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page. 
  2. In the Settings page, users will select Advanced, that will display a drop-down list. Users will select Support Access
  3. On the Support Access page, that will provide access to Google Support
  4. Users will be able to select to Allow Access to Google Support, after selecting the mandatory fields below. 129279iA5479DA539441C0D.png
  5. Additional mandatory fields consist of:
    1. Select SOC Role
    2. Select Permission Group
    3. Select Environments
    4. Select Time Period
  6. Select Save.
  7. As soon as Google Support registers a new user, they will appear below.
Relevant Documentation Links

 

 

129274i31DBC23EAA913C31.png

Create Lists and Templates

Your organization can create a blocklist of items. These are composed of entities that the system does not group alerts by or entities which should not be displayed in the system.

 


Steps
  1. To add a new blocklist item users will navigate to SOAR Settings > Environments > Blocklist.
  2. Click Add on the top right of the screen.
  3. Enter Entity Identifier and select Entity Type, Action, and the Environment.
  4. Click Add129278i39F1F0DB9750BA27.png
Relevant Documentation Links

 

 

129275i826309BA8B14044E.png

Email Notifications

Your organization can set up an email box in Google SecOps to send emails to users. When you select the Google SecOps SMTP configuration (default), the platform email service sends your emails. You have the option to select the Customer Configuration and your email service will send out the emails.

 


Steps
  1. To begin users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page. 
  2. In the Settings page, users will select Advanced, that will display a drop-down list. Users will select Email Settings
  3. On the Email Settings page, users by default will see Google SecOps SMTP selected. 
  4. If users prefer to use a separate option, they will select Customer Configuration, to manually setup their email address, from which all system emails will be sent. Those selection options consist of:
    1. Sender Display Name
    2. Sender Email Address
    3. Username
    4. Password
    5. SMTP - Server Address
    6. SMTP - Port
    7. SMTP - Use SSL
    8. Require Authentication
    9. Trust Certificate
    10. Use Exchange OAuth
  5. When those sections are filled in, users can test the configuration.

  6.  When complete, users will select Save

Relevant Documentation Links

 

 

129276i8EC40E8FE4F3C41B.png

Data Retention & Logs

Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer "who did what, where, and when?" within your Google Cloud resources with the same level of transparency as in on-premises environments.

 

Prerequisites
  • To view audit logs, you must have the appropriate Identity and Access Management (IAM) permissions and roles.

Steps
  1. By default, Google retains Twelve Months of user data in the user’s Google SecOps account. This retention period can be extended as part of the Purchase Order. The retention period applies to all of the data in the user’s Google SecOps instance. 
  2. Google uses an automated system to remove historical data based on event and detection timestamps.
  3. Enabling audit logs helps users with security, auditing, and compliance entities that monitor Google Cloud data and systems for possible Vulnerabilities or external data misuse.
  4. Cloud Audit Logs provides the following audit logs for each Google Cloud project, folder, and organization:
    1. Admin Activity Audit Logs
    2. Data Access Audit Logs
    3. System Event Audit Logs
    4. Policy Denied Audit Logs
  5. Audit log entries include the following objects:
    • Log entry itself, which is an object of type LogEntry. Useful fields include the following:
      • logName contains the Resource ID and Audit Log Type.
      • resource contains the target of the audited operation.
      • timeStamp contains the time of the audited operation.
      • protoPayload contains the audited information.
  6. To enable audit logging for the chronicle.googleapis.com service, see Enable Data Access audit logs.
  7. To enable audit logging for other services, contact Google SecOps Support.
  8. To populate UDM Search and Raw Log Search Queries in the Google SecOps Audit Logs, update the Data Access Audit Logs configuration with the necessary permissions.
  9. In the navigation panel of the Google Cloud Console, select IAM & Admin > Audit Logs.
  10. Select an existing Google Cloud Project, Folder, or Organization.
  11. In Data Access Audit Logs Configuration, select Chronicle API.
  12. In the Permission Types tab, select all the listed permissions:
    1. Admin Read
    2. Data Read
    3. Data Write
  13. Click Save.
  14. Repeat steps 11 - 13 for Chronicle Service Manager API.
  15. To find and view audit logs, use the Google Cloud project ID.
  16. In the Google Cloud Console, use the Logs Explorer to retrieve your audit log entries for the Google Cloud project.
  17. In the Google Cloud Console, go to the Logging > Logs Explorer page. 129277i335F6782FA6F98E6.png
  18. Note: If users are using the Legacy Logs Viewer page, switch to the Logs Explorer page.
  19. On the Logs Explorer page, select an existing Google Cloud Project, Folder, or Organization.
  20. In the Query Builder pane, do the following:
    1. In Resource Type, select the Google Cloud resource whose audit logs you want to see.
    2. In Log Name, select the audit log type that you want to see:
      • For Admin Activity audit logs, select Activity.
      • For Data Access audit logs, select Data_access.
  21. If you don't see these options, no audit logs of that type are available in the Google Cloud Project, Folder, or Organization.
Relevant Documentation Links

 

 

Next Step: Security Operations: Step 2 - Ingestion 

Previous Step: Security Operations: Step 1.1 - Administration | Initial Config 

DailyInvestors

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.