This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Secops

Posted on 10-29-2024 02:34 AM
yasinmnk
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi, my customer currently stores all their workspace logs in BigQuery on Google Cloud Platform (GCP). They would like to forward all logs from BigQuery directly to Googleโ€™s Security Operations (SecOps) solutions. Is this possible? If so, what would be the best approach to achieve this? Also, could you point me to any relevant documentation for this process?
@cmmartin_google 

Solved Solved
0 3 657
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

The best approach would be use the native integration from Google SecOps which can read Workspace logs directly and does not require an export to BigQuery - https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle

Collection of Workspace logs from BigQuery would be a custom integration, e.g., a cloud function to query BQ and export the results to GCS, or post directly to the Chronicle SIEM Ingestion API, and then it would require a custom parser.

Technically possible, but I would highly recommend the first option as not only do they then not need todo any custom ingestion pipeline, parser management, but also our Curated Detection content will work out of the box with Workspace too.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

The best approach would be use the native integration from Google SecOps which can read Workspace logs directly and does not require an export to BigQuery - https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle

Collection of Workspace logs from BigQuery would be a custom integration, e.g., a cloud function to query BQ and export the results to GCS, or post directly to the Chronicle SIEM Ingestion API, and then it would require a custom parser.

Technically possible, but I would highly recommend the first option as not only do they then not need todo any custom ingestion pipeline, parser management, but also our Curated Detection content will work out of the box with Workspace too.

Jump to Solution

Posted on --/--/---- --:-- AM
stein1
Bronze 5
Bronze 5
In response to cmmartin_google
Reply posted on --/--/---- --:-- AM

Are there any plans to make this direct log ingestion solution available to Google Workspace domains with Education Plus licensing? Currently it is only available to Enterprise Standard or Enterprise Plus Workspace editions.

I've been waiting on this since this was announced last November 2023. For all the reasons you list, I'd rather use this solution than do something custom.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to cmmartin_google
Reply posted on --/--/---- --:-- AM

We have some data in BQ we'd like to ingest for contextual enrichment. Is a cloud function still required or can we route to a log sink and export that way to SIEM?

Jump to Solution
0 Likes
Top Solution Authors
View all