Configure feeds by product

Supported in:

To enable effective threat detection and investigation, Google Security Operations relies on structured log ingestion. Properly configuring log feeds ensures that relevant data is normalized and made available for correlation, alerting, and analysis.This document explains how to set up and manage log feeds within Google SecOps. You can configure multiple feeds per product family according to the log type. Log types that Google have identified as a baseline are marked as required. The platform provides setup instructions, required procedures, and explanations of configuration parameters. Some parameters are predefined to simplify the configuration process. For example, you can create multiple feeds under both required and optional log types within a product such as CrowdStrike Falcon:

Access the multiple feeds configuration page

There are two ways to reach the multiple feeds configuration screen:

  • Content Hub > Content Packs
  • Settings > Feeds

Configure the feed for CrowdStrike EDR

This procedure focuses on configuring the feed for CrowdStrike EDR.

  1. From Settings > Feeds click the CrowdStrike Falcon product:
    1. Click Add New Feed.
    2. Select CrowdStrike EDR.
  2. Optionally, from Content Hub > Content Packs:
    1. Select CrowdStrike Falcon.
    2. Click Get Started.

  3. Specify values for the following fields:

    Field Description
    Region The AWS S3 region associated with the URI.
    Queue Name The SQS queue name to read from.
    Account Number The SQS account number.
    Source Deletion Option Indicates whether to delete files and directories after the transfer.
    Queue Access Key ID A 20-character alphanumeric access key for the account, such as AKIAOSFOODNN7EXAMPLE.
    Queue Secret Access Key A 40-character alphanumeric secret access key for the account, such as, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.

  4. Optional: Configure the following parameters:

    • Feed Name: unique name for the feed, prepopulated, but editable.
    • Source type: Amazon SQS is preselected, but editable.
    • Asset namespace: namespace associated with the feed.
    • Ingestion labels: labels applied to the events from this feed.

  5. Click Create Feed.

You can repeat this process to create additional feeds for the same log type. You can also configure feeds for other available log types directly from this page. Once you're done, go to the Feed Management page to view a detailed summary of all configured log types.

Need more help? Get answers from Community members and Google SecOps professionals.