Build with Google Cloud Security MCP Servers
Google Cloud Security announced open source Model Context Protocol (MCP) servers for Google SecOps (SIEM and S...
SecOps SIEM
Have SIEM questions? Connect with other Google Cloud Security experts to discuss best practices, troubleshooting, and the latest updates on Google Cloud's SIEM solutions.
Forum Posts
SecOps API Wrapper SDK for Python
Announcing the release of a simple SecOps API Wrapper SDK: https://pypi.org/project/secops/ now using the SecO...
Community-driven detection content for Google SecOps. Calling all defensive practitioners!
A few members of the Google Cloud Security Community have expressed interest in sharing detection content with...
Reporting through Dashboards
Hi All,I'm looking for a way to fulfill reporting requirements, potentially through dashboards. I understand t...
Chronicle Ingestion Script errors
Recently we've been having trouble getting several Chronicle Ingestion scripts working (found here https://git...
Open sourced our Chronicle detection rules
Hey all, I open sourced our Chronicle detection rules (and a few helpers) on GitHub a couple of weeks back. I'...
Data Storage in Chronicle SIEM
Hello,how is the data (UDM and RAW) in the DB encrypted? For example if storing security strings.Thanks for th...
Failed to connect to Chronicle Alerts APIs
We are try to extract alert generated in Chronicle instance with the below approaches: Approach 1: https://clo...
Locating Unparsed Logs in SIEM?
I ingested 911K log lines and I can see in the "Data Ingestion and Health" dashboard that 8.2K failed, but I d...
Reference List Creation
Hi,is there a way to create a reference list via the GUI? The only way I found is via APIs...Thanks.A
UDM Search succeeds for network.email.to but fails for network.session_id
If I do a UDM Search for network.email.to = "" it returns a result, but if I copy the UDM for network.session_...
Workspace_Activity Download: Who done it?
I'm looking at events in Chronicle withmetadata.log_type = "WORKSPACE_ACTIVITY"metadata.product_name = "drive"...
chronicle forward data to other SIEM
Does Chronicle have the ability to forward data to other SIEM platforms? Such as Splunk, IBM QRadar.
How to access chronicle data in Big Query
Hi All,I want access the metrics available in Big Query which are ingested by Chronicle SIEM using Python. Can...
What is the process we should be following to ensure we don’t get duplicate events?
Hi all, what is the process we should be following to ensure we don’t get duplicate events? I found one refere...
IOC matching with YARA-L rule
Hi!I wrote a YARA-L rule for IOC matching where i need to check if the confidence level of the IOC is above 75...
Looking for an API to monitor EPS events ingested, parsed in UDM etc
Hi i'm searching for an API to monitor EPS for number of events ingested, parsed in UDM etc, Is there anything...
Got this error when writing a YARA-L detection rule in the Chronicle editor
Hi all, I was writing a YARA-L detection rule in the Chronicle editor and I need to match the string "C:\Progr...
is there a way to send logs to chronicle via intranet traffic instead of going over the internet?
Hi all, can we send logs to chronicle via intranet traffic instead of going over the internet?
Question about ingesting from GCS buckets using feeds management UI
I have a question: When Ingesting from GCS buckets using feeds management UI, it mentions that chronicle doesn...
How to simply inject syslog without any parser?
Hi there! Is there a way to simply inject syslog without any parser (because there is none available for the p...
Dashboard for time between logging and detections firing
Does anyone have any advice on how you could create a dashboard to see the average amount of time between the ...
Is it possible to use Arrays.contains with two variables in Yara-L?
In the documentation it seems that the arrays.contains function can be used like the following, arrays.contain...
Detect off additional fields in Yara-L
Is it possible to make a Yara-L rule that is detecting off of a specific field in the additional section?I hav...
Rules and how they works
Does anyone know if Google have a list of Rules which are available in Chronicle Security and are base on whic...
Sharing log parsers with people on this community
What’s been your experience sharing log parsers with people on this community? Has it been beneficial? Risky? ...
See if a UDM field contains a substring of another UDM field
Is there any way in Yara-L to check if a UDM field contains a substring of another UDM field? The following ex...
creating customers in chronicle siem
Hi Team, Looking for guidance creating customers in chronicle siem using the api. Can't seem to get it working...
Enterprise insights feature
Hi All, I was wondering if the Demo has the 'Enterprise insights' feature
Dashboard for time between logging and detections
Does anyone have any advice on how you could create a dashboard to see the average amount of time between the ...
Windows event forwarding
@Lokesh_Dachepal If you don't want to use a SIEM product, you can always do Windows event forwarding to get al...
Supported Data Sources
Can someone help me understand the different supported data sources for Chronicle?Thanks in advance.
Non-English characters in logs not rendering in Chronicle?
Windows Event logs from servers configured in a language using non-English character set are not rendering in ...
