Skip to main content

Table of Contents

 

129257iF406300F4B499A0D.png

Data Ingest is the core of Google SecOps ingests raw log data, alerts, and other information. Ingested information is normalized and indexed for rapid search, then context enriched with data available from other ingested sources including threat intelligence feeds.

Configuring data ingest is the first step in preparing Google SecOps to correlate security events for your SecOps team. Google’s industry leading SecOps indexing, context enrichment, and search will enable your SecOps analysts to respond rapidly with a comprehensive view of threats and events.

 

Actions

129258iEF73B6C3C47E84A6.png
Install & Configure Forwarders

Google SecOps SIEM forwarder is a software component that runs on a machine or device on your network, such as a server. Google SecOps SIEM forwarder can collect log data and network interface packets and forward that data to your Google SecOps SIEM instance.

 


Steps
  1. To add a new forwarder, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page. 
  2. In the Settings page, users will select Forwarders, that will display the page. 
  3. Users can conduct search for Forwarders in the Search bar.
  4. Users also have the ability to Filter the list of Forwarders by selecting the Filter icon to the left of Create Forwarder.
  5. Users can add a new Forwarder by selecting Add New Forwarder129270i42AA11CECF816FCE.png
  6. In the Forwarder Name field, can create a new Forwarder name. 
  7. To further configure, users will expand the Configuration Values section and specify any of the following:
    1. Upload compression
    2. Asset namespace
    3. Label key
    4. Label value
    5. Filter description
    6. Regular expression
    7. Filter behavior
  8. Optional: Toggle Server Settings to configure the forwarder's built-in HTTP server, which can be used to configure load balancing and high availability options for syslog collection on Linux.
  9. Click Submit.
Relevant Documentation Links

 

 

129259i6561FFDAE88B2C8C.png

Parsers

Parsers normalize raw log data into structured Unified Data Model format. Google Security Operations provides a set of default parsers that read original raw logs and generate structured UDM records using data in the original raw log.

 


Steps
  1. To add a new Parser, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page. 
  2. In the Settings page, users will select Parsers, that will display the Parsers page. 
  3. Users can conduct search for Log Types in the Search bar or from the Log Source list. 
  4. Users also have the ability to Filter the list of Parsers by selecting the Filter icon to the left of Create Parser.
  5. Users can add a new Parser by selecting Create Parser129266i72F7A5EF2B0F625E.png
  6. Users will see a Create New Custom Parser popup.
  7. On the Create New Custom Parser popup, users will enter a new Log Source in the Select the Log Source field. 
  8. To further configure a new Custom Parser, users will write a new Code in the Parser Code Terminal for the Parser, and then select Validate by selecting the Validate button.
  9. Users can see the UDM Output in the UDM Output Preview box, to the right of the UDM Output text box, by selecting the Preview button.
  10. If the UDM Output is correct and final, users will select Validate to create the Parser.
  11. The validation process may take a few minutes, so we recommend that you preview the Custom Parser first, make changes if required, and then validate the Custom Parser.
  12. Click Submit.
  13. The Parser is picked for normalization after 20 minutes.
Relevant Documentation Links

 

 

129260i3849736231262A5D.png

Create and Manage Feeds

Google SecOps allows to users to create, manage, and troubleshoot feeds using the feed management UI. Managing the feeds includes modifying, enabling, and deleting the feeds.each data feed to have its own set of prerequisites that must be completed prior to setting up the feed in Google SecOps.

 


Steps
  1. To add a feed to your Google SecOps account, complete the following steps. Users can add up to five feeds for each log type.
  2. From the Google SecOps menu, select Settings, SIEM Settings, and then click Feeds. The data feeds listed on this page include all the feeds that Google has configured for your account in addition to the feeds that you have configured.
  3. Click Add New. The Add Feed window is displayed. 129265i2E11940FFE4C7241.png
  4. Add a feed name, by searching the Source type list, select the source type through which users intend to bring data into Google SecOps. Users can select from the following feed source types:
    1. Amazon Data Firehose
    2. Amazon S3
    3. Amazon SQS
    4. Google Cloud Pub/Sub
    5. Google Cloud Storage
    6. HTTP(S) Files (non-API)
    7. Microsoft Azure Blob Storage
    8. Third party API
    9. Webhook
  5.  In the Log Type list, select the log type corresponding to the logs that the user wants to ingest. The logs available vary depending on which source type you selected previously.
  6. Click Next129264i93367115AB7EFD09.png
  7. Review the user’s new feed configuration from the Finalize tab. Click Submit when you are ready. Google SecOps completes a validation check of the new feed. If the feed passes the check, a name is generated for the feed, it is submitted to Google SecOps, and Google SecOps begins to attempt to fetch data.
Relevant Documentation Links

 

 

129261i7233B52686F64639.png

Connectors

Google SecOps SOAR uses connectors to ingest alerts from a variety of data sources into the platform. A connector is one of the items in an integration package which can be downloaded through the Google SecOps Marketplace.

 

Prerequisites
  • Users will need to download an Integration that has a Connector in Marketplace.

Steps
  1. To add a new Connector, users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page. 
  2. In the Settings page, users will select Ingestion dropdown menu, and select Connectors in the dropdown menu. 
  3. A Connectors popup page will appear, that will display a Search field to select from options for Connectors. 
  4. Users can also select the Create New Connector button at the top-right of the Connectors popup page. 129263i09126BA088FD1F68.png
  5. An Add Connector popup page will appear, where users can select a from a Connector list in a dropdown menu. 
  6. The option to select a Remote Connector can be selected by click the Remote Connector checkbox. 
  7. If no Agents are configured, users can select Install Agent in the Add Connector popup. 
  8. Users will then select Create129262iB81871ACF2508AA4.png
  9. A New Connector Configuration page will appear.
  10. In this page, users will be able to configure a New Connector with three tabs, consisting of the following input pages:
    1. Parameters- consisting of Mandatory and Advanced fields. 
    2. Testing
    3. Logs
  11. When complete, users will select Save.
  12. If users need to add a Domain, they will navigate to the Settings > SOAR Settings > Environments > Domains.
  13. Users will click the Add button on the top right of the Domains page.
  14. Enter the Domain and Environment into the Add Domain  popup .
  15. When complete users will select Add.
  16. If users need to add a Network, they will navigate to the Settings > SOAR Settings > Environments > Networks.
  17. Users will click the Add button on the top right of the Domains page.
  18. Enter the following information into the Add Network popup:
    1. Name
    2. CIDR Format
    3. Priority level
    4. Environment
  19. When complete users will select Add.
Relevant Documentation Links

 

 

Next Step: Security Operations: Step 2.2 - Ingestion | Utilize SecOps Marketplace 

Previous Step: Security Operations: Step 2 - Ingestion 

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.