Build with Google Cloud Security MCP Servers
Google Cloud Security announced open source Model Context Protocol (MCP) servers for Google SecOps (SIEM and S...
SecOps SIEM
Have SIEM questions? Connect with other Google Cloud Security experts to discuss best practices, troubleshooting, and the latest updates on Google Cloud's SIEM solutions.
Forum Posts
SecOps API Wrapper SDK for Python
Announcing the release of a simple SecOps API Wrapper SDK: https://pypi.org/project/secops/ now using the SecO...
Community-driven detection content for Google SecOps. Calling all defensive practitioners!
A few members of the Google Cloud Security Community have expressed interest in sharing detection content with...
Ingestion API
Community,I recently integrated a log source using the Ingestion API. Specifically, I have a script that makes...
UDM Search Returning $event_count > 3
Not sure why I am having such a difficult time trying to figure this out, but if I'm running a particular UDM ...
Deduplicating Email Addresses/Iterating over repeated fields in parser
Hey AllIn the workspace user parser my users get the same email added to the entity.user.email_addresses field...
Search for Alerts using UDM search
Hello everyone,I would like to ask is it possible to search for alerts and their details using the udm search ...
Existing | default keyboard shortcuts - where do I find list?
Hi folks I just accidentally found that I can comment out a line in SIEM UDM search by ctrl-/ and I can be any...
SIEM Rules - meta - longer descriptions viewable in SOAR cases
I want to add longer descriptions in the meta of some SIEM rules so the info shows up in the related SOAR case...
Windows 4624 Logon Types Table
I want to be able to find successful windows logons, specifically remote logon's, and capture data from fields...
Chronicle SIEM Dashboard
I Want to create a dashboard for the alerts that are triggered in SIEM and need to know the case has been crea...
Bring Audit logs to Chronicle
Community,How do I bring "Audit Logs" from "ManageEngine Endpoint Central" to SecOps ?Endpoint Central is a su...
Generate Query by Gemini
Hi.According to Gemini in Google SecOps documentation, it mentions the capability to use Gemini for generating...
SOAR Case (rule events missing in SOAR)
Hello Team,For the 'impossible_travel_login_activity' alert involving from a user, our initial review of the e...
Entity mapping in parsers
Has anyone tried to map entities in the parser ? (Ex. entity.user.user_id, entity.url, entity.hostname, etc......
Throttle Rule Alerts
Hi #community,Is there any option to throttle or prevent a rule with same criteria triggers for x period of ti...
Sign up process for Chronicle SIEM
Hi All,I filled out a Contact Us form over a month ago and I got a reply from a Google sales team member. Had ...
Thehive service fail few seconds after start
I've tried found solutions on google but none fixed my issue.Have you already faced this prolem ?You help woul...
SIEM > UDM search > "Add to Events Table" - column views
Every so often I'm unable to add as a column a key or value type column I can see in the aggregations pane (im...
Ingest Entra ID Identity Protection Alerts into SIEM
Hi everyone,Does anyone has experience in ingesting Entra ID Identity Protection Alerts (IdentityRiskEvent and...
Creating Parser with a tool
Does anyone have or know a tool to generate custom parsers for logs
Adding blank entities to parser to be filled in by IDE
I want to add blank parser fields so that I can go through later using a script made with SecOps in the IDE to...
How to convert epoch values to human redable format in OUTCOME section
Hi All,I am trying to solve event first seen and last seen using MIN, MAX functions, but it returns an epoch v...
Cannot assign group for Chronicle access using IAM
Hello, I got an Unauthorized error like the image below "There was a problem. An error occurred during authent...
Limited Event Time Range when using Stats UDM Search
I am really hyped about the new Stats UDM Search feature which was released recently. Along with that there wa...
Concatinating field from nested json by extending the parser
Hi All, Need to implement this urgently - tried all options including ruby / split etc but none of that works ...
Mandiant Threat Advantage integration with SIEM
Hi All,We want to integrate Mandiant with Google SIEM. Can someone please advise how can this be done.
Alerting on Retrospective IOC Matches
I'm trying to understand how alerting to SOAR works when there's a retrospective match on an IOC. Specifically...
Get sample parsers
HeyIs there a way to get a list of parsers currently available in Google chronicle, is it published in any git...
How can we integrate Tenable IVM and Tenable Access control with Chronicle SIEM
Can someone please help me on how i can integrate (ingestion method) Tenable IVM and Tenable Access control Ch...
Custom Enrichment ?
Community,Lets say I bring in logs from an endpoint management tool, where the logs will be from an API call w...
Log ingestion Best Pratices - Direct Ingestion logs
Hi folks,Recently, I got a SecOps implementation project that asked me to ingest some GCP-Native logs, such as...
search id for udm and raw_log search
Hi Community, I have two questions/doubts. 1. is there any way to pull the search ID for every user search on ...
