Request prebuilt and create custom log types

Supported in:

This document describes options to help you process log data that isn't processed by existing Google Security Operations parsers. In such cases, Google SecOps supports the creation of log types to enable parsing and ingestion.

You can choose between the following types:

  • Prebuilt log types: You can request Google SecOps to create and manage prebuilt log types. These work in conjunction with prebuilt and preconfigured parsers. 2–3 weeks after your request, these prebuilt log types are made available to all Google SecOps customers.

  • Custom log types: Created and managed by your organization. You need to configure corresponding custom parsers in-house, where the custom log types and parsers become internally (only to your organization) available 10 minutes after creation.

For information about corresponding prebuilt parsers and custom parsers, see Manage prebuilt and custom parsers.

Create a custom log type

To create a custom log type, do the following:

  1. Go to SIEM settings > Available Log Types. You can view available log types using the Search feature.

  2. Click Request a Log Type.

  3. Under the Create a custom log type on your own, enter details for your log type.

    For example, to create a custom log type for Azure Key Vault logging, complete the following:

    • In the Vendor/Product field, enter Azure Key Vault logging.

    • In the Log Type field, enter AZURE_KEYVAULT_LOGGING.

  4. Click Create Log Type.

  5. Wait 10 minutes to ensure that the new log type is available in all components before creating feeds with it.

The custom log type limitations are:

  • Total: 400

  • Daily: 25

  • Hourly: 8

Need more help? Get answers from Community members and Google SecOps professionals.