If you are using IAM custom roles, you need to do the following:
Go to IAM & Admin > Roles.
Select the existing custom role and click Edit Role.
Click Add permissions.
Enter the following:
chronicle.feedPacks.get
chronicle.feedPacks.list
Click Save.
Configure log feeds
To enable effective threat detection and investigation, Google Security Operations relies on structured log ingestion. Properly configuring log feeds makes sure that relevant data is normalized and made available for correlation, alerting, and analysis.
This document explains how to set up and manage log feeds within Google SecOps.
You can configure multiple feeds per product family according to the log type.
Log types identified by Google as a baseline, are marked as required.
The platform provides setup instructions, required procedures,
and explanations of configuration parameters.
Some parameters are predefined to simplify the configuration process.
For example, you can create multiple feeds under both required and optional log types
within a product, such as CrowdStrike Falcon:
Access the multiple feeds configuration page
There are two ways to reach the multiple feeds configuration screen:
Content Hub > Content Packs
Settings > Feeds
Configure the feed for CrowdStrike EDR
Follow these steps to configure a log feed for CrowdStrike EDR.
From Settings > Feeds, click Add New Feed
Click the CrowdStrike Falcon product:.
Select CrowdStrike EDR log type.
Alternatively, from Content Hub > Content Packs, click the CrowdStrike Falcon product:
Click Get Started.
Select CrowdStrike EDR log type.
Specify values for the following fields:
Field
Description
Source Type
Amazon SQS
Region
The AWS S3 region associated with the URI.
Queue Name
The SQS queue name to read from.
Account Number
The SQS account number.
Source Deletion Option
Indicates whether to delete files and directories after the transfer.
Queue Access Key ID
A 20-character alphanumeric access key for the account, such as AKIAOSFOODNN7EXAMPLE.
Queue Secret Access Key
A 40-character alphanumeric secret access key for the account, such as, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Optional: Configure the following parameters:
Feed Name: prepopulated unique name for the feed.
Asset namespace: namespace associated with the feed.
Ingestion labels: labels applied to the events from this feed.
Click Create Feed.
You can repeat this process to create additional feeds for the same log type. You can also configure feeds for other available log types directly from this page. When finished, go to the Feed Management page to view a detailed summary of all configured log types.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configure feeds by product\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nBefore you begin\n----------------\n\nIf you are using IAM custom roles, you need to do the following:\n\n1. Go to **IAM \\& Admin \\\u003e Roles**.\n2. Select the existing custom role and click **Edit Role**.\n3. Click **Add permissions**.\n4. Enter the following:\n - **chronicle.feedPacks.get**\n - **chronicle.feedPacks.list**\n5. Click **Save**.\n\nConfigure log feeds\n-------------------\n\nTo enable effective threat detection and investigation, Google Security Operations relies on structured log ingestion. Properly configuring log feeds makes sure that relevant data is normalized and made available for correlation, alerting, and analysis.\n\nThis document explains how to set up and manage log feeds within Google SecOps.\nYou can configure multiple feeds per product family according to the log type.\nLog types identified by Google as a baseline, are marked as **required**.\n\nThe platform provides setup instructions, required procedures,\nand explanations of configuration parameters.\nSome parameters are predefined to simplify the configuration process.\nFor example, you can create multiple feeds under both required and optional log types\nwithin a product, such as CrowdStrike Falcon:\n\nAccess the multiple feeds configuration page\n--------------------------------------------\n\nThere are two ways to reach the multiple feeds configuration screen:\n\n- **Content Hub \\\u003e Content Packs**\n- **Settings \\\u003e Feeds**\n\n### Configure the feed for CrowdStrike EDR\n\nFollow these steps to configure a log feed for CrowdStrike EDR.\n\n1. From **Settings \\\u003e Feeds** , click **Add New Feed**\n 1. Click the **CrowdStrike Falcon** product:.\n 2. Select **CrowdStrike EDR** log type.\n2. Alternatively, from **Content Hub \\\u003e Content Packs** , click the **CrowdStrike Falcon** product:\n 1. Click **Get Started**.\n 2. Select **CrowdStrike EDR** log type.\n3. Specify values for the following fields:\n\n \u003cbr /\u003e\n\n4. Optional: Configure the following parameters:\n\n - Feed Name: prepopulated unique name for the feed.\n - Asset namespace: namespace associated with the feed.\n - Ingestion labels: labels applied to the events from this feed.\n5. Click **Create Feed**.\n\nYou can repeat this process to create additional feeds for the same log type. You can also configure feeds for other available log types directly from this page. When finished, go to the **Feed Management** page to view a detailed summary of all configured log types.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
