Data ingestion to Google Security Operations overview
The following diagram illustrates how your security data can flow to Google Security Operations and how Google Security Operations handles that data and prepares it for analysis using the Google Security Operations user interface.
Flow and Processing of Customer Security Data to Google Security Operations
Google Security Operations processes customer security data as follows:
- An internal data forwarding service (such as Google Security Operations Forwarder) or a standard secure protocol (such as SFTP) sends raw security data directly to Google Security Operations. The security data is encrypted while in transit to Google Security Operations.
- Google Security Operations retrieves security data stored in a cloud service (such as Amazon S3 or Google Cloud). The data is encrypted while in transit to Google Security Operations.
- Google Security Operations logically segregates and stores your security data into your account in an encrypted form. Data is accessed by the customer only, plus a limited number of Google personnel as necessary to support, develop, and maintain the product.
- Google Security Operations parses and validates the raw security data, making data easier to process and display.
- Google Security Operations indexes the data to make it easier to search.
- After it is validated and parsed, Google Security Operations checks the security data against third-party feeds (such as the DHS threat feed) and Google Security Operations's internal threat analytics tools and systems.
- Google Security Operations stores parsed and indexed data in an encrypted form within each account.
- You log into your account to search and review your security data.
- Google Security Operations searches for matches between your security data and the VirusTotal malware database. In a Google Security Operations event view, such as Asset view, click VT Context to display information from VirusTotal. Your security data is never shared with VirusTotal.