SIEM table of contents

You can return to this table of contents at any time by clicking siem at the top of documents that are for SIEM.

Google SecOps SIEM

Product overview

Log in to Google SecOps

Quickstart: Conduct a search

Quickstart: Investigate an alert

Onboarding to Google SecOps

Overview of the process

Configure Google Cloud project for Google SecOps

Configure an identity provider

Configure a Google Cloud identity provider

Configure a third-party identity provider

Configure feature access control using IAM

Configure data RBAC using IAM

RBAC user guide for applications not using IAM

Google SecOps permissions in IAM

Link Google SecOps to Google Cloud services

Ingesting data

Ingest entity data

Overview of data ingestion

Supported data sets and default parsers

Ingest data to Google SecOps

Install and configure forwarders

Overview of Google SecOps forwarders

Google SecOps forwarder for Linux

Google SecOps forwarder for Windows on Docker

Google SecOps forwarder executable for Windows

Manage forwarder configurations through Google SecOps

Troubleshoot common Linux forwarder issues

Set up data feeds

Feed management overview

Create and manage feeds using the feed management UI

Create and manage feeds using the feed management API

Use ingestion scripts deployed as Cloud Functions

Use the Ingestion API

Use the BindPlane agent

Ingest logs from specific sources

Collect Ansible AWX logs

Collect Auth0 logs

Collect Azion firewall logs

Collect Cloudflare WAF logs

Collect Corelight Sensor logs

Collect CyberX logs

Collect Duo Activity logs

Collect Fidelis Network logs

Collect Forcepoint DLP logs

Collect FortiWeb WAF logs

Collect GitHub audit logs

Collect GitLab logs

Collect Imperva Incapsula Web Application Firewall logs

Collect Infoblox logs

Collect Juniper Junos logs

Collect Kemp Load Balancer logs

Collect Linux auditd and Unix system logs

Collect Mimecast Secure Email Gateway logs

Collect Netgate pfSense logs

Collect Netscaler logs

Collect Okta logs

Collect OneLogin Single Sign-On (SSO) logs

Collect OSSEC logs

Collect osquery logs

Collect Proofpoint TAP alerts logs

Collect Pulse Secure logs

Collect Qualys Scan logs

Collect RSA Authentication Manager logs

Collect SonicWall logs

Collect Sophos UTM logs

Collect Splunk CIM logs

Collect Suricata logs

Collect Symantec Event Export logs

Collect Tripwire logs

Collect Twingate VPN logs

Collect Wazuh logs

Collect Wordpress CMS logs

Collect Zeek (Bro) logs

Install Carbon Black Event Forwarder

Ingest from Atlassian

Collect Atlassian Bitbucket logs

Collect Atlassian Jira logs

Ingest from AWS

Collect AWS GuardDuty logs

Collect AWS VPC Flow logs

Collect Amazon CloudFront logs

Collect AWS RDS logs

Collect AWS data

Ingest from Azure

Collect Azure Activity logs

Collect Microsoft Azure AD logs

Collect Microsoft Azure AD Audit logs

Collect Microsoft Azure AD Context logs

Collect Azure DevOps audit logs

Ingest from Cisco

Collect Cisco ASA firewall logs

Collect Cisco ISE logs

Collect Cisco Meraki logs

Collect Cisco Secure Email Gateway logs

Collect Cisco Secure ACS logs

Ingest from CrowdStrike

Collect CrowdStrike Detection logs

Collect CrowdStrike EDR logs

Collect CrowdStrike IOC logs

Ingest from F5

Collect F5 BIG-IP APM logs

Collect F5 BIG-IP LTM logs

Ingest from Jamf

Collect Jamf Protect logs

Collect Jamf Telemetry logs

Ingest from Microsoft

Collect Microsoft 365 logs

Collect Microsoft Defender for Cloud Alert logs

Collect Microsoft Graph Activity logs

Collect Microsoft Graph API alerts logs

Collect Microsoft Intune logs

Collect Microsoft Sentinel logs

Collect Microsoft Windows AD data

Collect Microsoft Windows DHCP data

Collect Microsoft Windows DNS data

Collect Microsoft Windows Event data

Collect Microsoft Windows Sysmon data

Ingest from Palo Alto Networks

Collect Palo Alto Cortex XDR alerts logs

Collect Palo Alto Networks firewall logs

Collect Palo Alto Prisma Cloud logs

Ingest from SentinelOne

Collect SentinelOne Cloud Funnel logs

Collect SentinelOne EDR logs

Monitor data ingestion

Use Data Ingestion and Health dashboard

Use Cloud Monitoring for ingestion notifications

Work with Google SecOps parsers

Overview of log parsing

Overview of the Unified Data Model

Manage prebuilt and custom parsers

Using parser extensions

Important UDM fields for parser data mapping

Tips and troubleshooting when writing parsers

Format log data as UDM

How Google SecOps enriches event and entity data

Detecting threats

View alerts and IOCs

Review potential security threats

Single event rules

Multiple event rules

Rule chaining

Monitor for events using rules

View rules in the Rules Dashboard

Manage rules using Rules Editor

View previous versions of a rule

Archive rules

Download events

Run a rule against live data

Run a rule against historical data

Set the run frequency

Detection limits

Rule errors

Create context-aware analytics

Overview of context-aware analytics

Use Cloud Sensitive Data Protection data in context-aware analytics

Use context-enriched data in rules

Use default detection rules

Risk analytics

Overview of Risk Analytics

Use the Risk Analytics dashboard

Create rules for Risk Analytics

Specify entity risk score in rules

Work with curated detections

Use curated detections to identify threats

Use the curated detections UI

Overview of Cloud Threats category

Overview of Linux Threats category

Overview of Risk Analytics for UEBA category

Overview of Windows Threats category

Overview of Applied Threat Intelligence curated detections

Verify data ingestion using test rules

Configure rule exclusions

Applied Threat Intelligence

Applied Threat Intelligence overview

Applied Threat Intelligence prioritization

View IOCs using Applied Threat Intelligence

IC score overview

Applied Threat Intelligence fusion feed overview

Answer Threat Intelligence questions with Gemini

About the YARA-L language

YARA-L 2.0 language overview

YARA-L 2.0 language syntax

YARA-L best practices

Generate a YARA-L rule using Gemini

Create a reference list

Timestamp definitions

Investigating threats

View Alerts

Overview

Investigate an alert

Investigate a GCTI alert

Searching for data

Search for UDM event

Use context-enriched fields in UDM search

Use UDM Search to investigate an entity

Use UDM Search time range and manage queries

Statistics and aggregations in UDM search using YARA-L 2.0

Generate UDM search queries with Gemini

UDM search best practices

Conduct a raw log search

Search raw logs using Raw Log Scan

Filter data in raw log search

Create a reference list

Using investigative views

Use investigative views

Investigate an asset

Work with asset namespaces

Investigate a domain

Investigate an IP address

Investigate a user

Investigate a file

View information from VirusTotal

Filtering data in investigative views

Overview of procedural filtering

Filter data in User view

Filter data in Asset view

Filter data in Domain view

Filter data in IP Address view

Filter data in Hash view

Reporting

Overview of data in BigQuery

Use context-enriched data in reports

Dashboards overview

Work with custom dashboards

Create a custom dashboard

Add a chart to a dashboard

Share a personal dashboard

Schedule dashboard reports

Import and export Google SecOps dashboards

Administration

Administer users

Configure feature access control using IAM

Configure data access control

Overview of data RBAC

Data RBAC impact on features

Configure data RBAC for users

Configure data RBAC for reference lists

Set up data feeds

Feed management user guide

CLI user guide

Configure audit logs

Data retention

Google Analytics in Google SecOps