Google Security Operations
Overview
Google Security Operations (formerly Chronicle) is Google Cloud's security analytics platform for threat detection and response. It ingests and analyzes security telemetry at scale, providing threat hunting, investigation, and detection capabilities powered by Google's infrastructure.
DataStream provides native integration through the gcpsecops target, enabling direct log forwarding with automatic format conversion and regional endpoint selection.
Key Benefits
- 22 Regional Endpoints - Deploy to the region closest to your data residency requirements, including US, Europe, Asia-Pacific, Middle East, and Africa
- Automatic UDM Normalization - Convert ECS-formatted logs to Google's Unified Data Model without manual field mapping
- Pre-built Pipeline Templates - 13 ready-to-use pipelines for Windows, Linux, and Syslog sources with vendor-specific parsing
- Flexible Authentication - Service account credentials with environment variable support for secure credential management
Unified Data Model (UDM)
Google SecOps uses the Unified Data Model (UDM) to standardize security telemetry across different log sources. DataStream supports two ingestion modes:
| Mode | Description | Use Case |
|---|---|---|
| Unstructured | Raw log data with a log type identifier | Default mode, SecOps handles parsing |
| UDM | Pre-normalized data in UDM format | When DataStream handles normalization |
When using UDM mode with send_events_as: udm, DataStream automatically maps ECS fields to UDM equivalents. Key mappings include:
| ECS Field | UDM Field |
|---|---|
source.* | principal.* |
destination.* | target.* |
network.* | network.* |
file.* | target.file.* |
DataStream supports automatic ASIM-to-UDM translation for: NetworkSession, WebSession, DnsActivity, Authentication, FileEvent, ProcessEvent, RegistryEvent, AuditEvent, DhcpEvent, and UserManagement schemas.
Quick Start
Create a target configuration with your SecOps customer ID and region:
Target Configuration
name: my-secops-target
type: gcpsecops
properties:
customer_id: your-customer-id
region: us
default_log_type: WINEVTLOG
authentication_method: credentials
service_account_credentials: |
{ "type": "service_account", ... }
Connect the target to a device through a route:
Route Configuration
name: windows-to-secops
device: windows-events
pipeline: gcp_secops_windows_security
target: my-secops-target
Configuration Reference
For complete configuration options including all authentication methods, regional endpoints, and advanced settings:
- Google SecOps Target - Current API (v1/v2)
- Google Chronicle Target - Legacy API
Pipeline Templates
DataStream includes pre-built pipelines optimized for Google SecOps ingestion:
| Template | Purpose |
|---|---|
gcp_secops_windows | Windows event logs |
gcp_secops_windows_security | Windows Security logs |
gcp_secops_windows_dns | Windows DNS Server logs |
gcp_secops_windows_firewall | Windows Firewall logs |
gcp_secops_linux | Linux system logs |
gcp_secops_syslog | Standard syslog |
See Content Hub for the full list of 13 available SecOps templates.
In Content Hub, filter by Target: Google SecOps to browse available templates. Each template shows the processors used, example log transformations, and license details.
Automation and Normalization Pack
The Google Security Operations Automation and Normalization Pack in Content Hub provides a complete solution for processing and routing logs to Google SecOps, with intelligent multi-tier distribution capabilities.
Multi-Tier Routing
The pack supports simultaneous routing to multiple destinations from a single pipeline:
| Destination | Purpose |
|---|---|
| Google SecOps | Advanced threat detection with UDM-normalized data |
| Data Lake | Mid-term retention in platform-native tables |
| Object Storage | Raw log archival (S3, Azure Blob, Google Cloud Storage) |
Use smart routing to send high-value security events to Google SecOps while routing verbose logs to cost-effective object storage. The pack includes sampling and filtering options to further reduce ingestion volume.
Vendor Support
The pack includes specialized parsers for 30+ security vendors, including:
- Firewalls: Fortinet, Palo Alto Networks, Check Point, Cisco, SonicWall
- Windows: Event logs, Security logs, DNS, Firewall
- Syslog: Standard syslog, CEF, and LEEF formats
Smart Routing
Configuration-based routing automatically distributes data based on flags:
| Parameter | Function |
|---|---|
use_smart_routing | Master switch for selective routing |
use_google_secops | Enable Google SecOps destination |
use_lake | Enable Data Lake destination |
use_object_storage | Enable Object Storage archival |
allowed_asim_tables | Filter specific ASIM tables for ingestion |
Enable append_correlationid to add unique correlation IDs to each message, providing event lineage tracking across all destinations.