Skip to main content
Google Cloud
Documentation Technology areas
  • AI and ML
  • Application development
  • Application hosting
  • Compute
  • Data analytics and pipelines
  • Databases
  • Distributed, hybrid, and multicloud
  • Generative AI
  • Industry solutions
  • Networking
  • Observability and monitoring
  • Security
  • Storage
Cross-product tools
  • Access and resources management
  • Costs and usage management
  • Google Cloud SDK, languages, frameworks, and tools
  • Infrastructure as code
  • Migration
Related sites
  • Google Cloud Home
  • Free Trial and Free Tier
  • Architecture Center
  • Blog
  • Contact Sales
  • Google Cloud Developer Center
  • Google Developer Center
  • Google Cloud Marketplace
  • Google Cloud Marketplace Documentation
  • Google Cloud Skills Boost
  • Google Cloud Solution Center
  • Google Cloud Support
  • Google Cloud Tech Youtube Channel
/
  • English
  • Deutsch
  • Español – América Latina
  • Français
  • Indonesia
  • Italiano
  • Português – Brasil
  • 中文 – 简体
  • 中文 – 繁體
  • 日本語
  • 한국어
Console Sign in
  • Google Security Operations
Guides Reference Resources
Contact Us Start free
Google Cloud
  • Documentation
    • Guides
    • Reference
    • Resources
  • Technology areas
    • More
  • Cross-product tools
    • More
  • Related sites
    • More
  • Console
  • Contact Us
  • Start free
  • Overview
  • All Security Operations topics
  • Google SecOps overview
  • What's new in Google SecOps?
  • Release plan for Google SecOps
  • Log in to Google Security Operations
  • Navigate the Google SecOps platform
  • Understand the Google SecOps platform
  • Configure user preferences
  • Gemini in SecOps
  • Gemini documentation summaries
  • Onboarding
  • Onboard a Google SecOps instance
  • Configure a Google Cloud project for Google SecOps
  • Configure a Google Cloud identity provider
  • Configure a third-party identity provider
  • Link a Google SecOps instance to Google Cloud services
  • Configure feature access control using IAM
  • Configure data RBAC using IAM
  • RBAC user guide for applications not using IAM
  • Map users in the Google SecOps platform using Google Cloud identity
  • Map users with multiple control access parameters
  • Map users in the Google SecOps platform using IdP groups
  • User management
  • Add SIEM or SOAR users to Google SecOps
  • Quickstart: Conduct a search
  • Quickstart: Investigate an alert
  • Data Collection
  • Ingestion
    • Google SecOps data ingestion
    • Overview of data ingestion
    • Supported data sets and default parsers
    • Ingest data to Google SecOps
      • Install and configure forwarders
        • Install and configure the forwarder
        • Manage forwarder configurations through the UI
        • Manage forwarder configurations manually
        • Google SecOps forwarder executable for Windows
        • Troubleshoot common Linux forwarder issues
    • Bindplane collection agent
      • Use the Bindplane agent
      • Configure Bindplane for Silent Host Monitoring
    • Set up data feeds
      • Feed management overview
      • Use the feed management application
      • Create an Azure Event Hub feed
      • Use the feed management API
    • Use ingestion scripts deployed as Cloud Functions
    • Use the Ingestion API
    • Configure burst limits
  • Overview of Google SecOps data in BigQuery
  • Ingest Google Cloud data to Google SecOps
  • Product Centric Feed management
  • Default parsers
    • Default parser list
    • Premium parsers
      • Apigee logs
      • AWS EC2 Hosts logs
      • AWS EC2 Instance logs
      • Chrome management logs
      • Cisco ASA firewall logs
      • Context Resource Parsers
      • CrowdStrike Falcon logs
      • Duo Activity logs
      • Fluentd logs
      • Fortinet Firewall logs
      • Ingest Google Cloud data to Google Security Operations
      • Google Cloud Audit Logs
      • Google Cloud DNS logs
      • Google Cloud Firewall logs
      • Google Cloud Load Balancing logs
      • Google Cloud NAT logs
      • Google Kubernetes Engine (GKE) logs
      • Google Cloud SQL logs
      • Google Workspace logs
      • Jamf Protect logs
      • Jamf Telemetry logs
      • Jamf Protect Telemetry v2 logs
      • Jamf Threat Events logs
      • Microsoft 365 logs
      • Microsoft Defender for Endpoint logs
      • Microsoft Graph API alerts logs
      • Microsoft Windows AD logs
      • Microsoft Windows DHCP logs
      • Microsoft Windows DNS logs
      • Microsoft Windows Event logs
      • Microsoft Windows Sysmon logs
      • NIX System logs
      • OCSF logs
      • OSSEC logs
      • osquery logs
      • Palo Alto Networks firewall logs
      • Security Command Center findings
      • SentinelOne Alert logs
      • SentinelOne Cloud Funnel logs
      • Splunk CIM logs
      • Zeek (Bro) logs
      • Zscaler CASB logs
      • Zscaler parsers overview
      • Zscaler Deception logs
      • Zscaler DLP logs
      • Zscaler DNS logs
      • Zscaler Firewall logs
      • Zscaler Internet Access logs
      • Zscaler Tunnel logs
      • Zscaler VPN logs
      • Zscaler Web Proxy logs
      • Zscaler ZPA logs
      • Zscaler ZPA Audit logs
      • Zeek (Bro) logs
    • Standard Parsers A - B - C
      • A10 Network Load Balancer logs
      • Abnormal Security logs
      • Acalvio logs
      • Akamai DNS logs
      • Akamai WAF logs
      • Akeyless Vault logs
      • Alcatel switch logs
      • AlgoSec Security Management logs
      • Amazon CloudFront logs
      • Ansible AWX logs
      • Apache logs
      • Apache Cassandra logs
      • Apache Tomcat logs
      • Appian Cloud logs
      • Apple macOS syslog data
      • Aqua Security logs
      • Arbor Edge Defense logs
      • Archer IRM logs
      • ArcSight CEF logs
      • Arista switch logs
      • Area 1 logs
      • Aruba ClearPass logs
      • Aruba EdgeConnect SD-WAN logs
      • Aruba switch logs
      • Aruba Wireless Controller and Access Point logs
      • Atlassian Bitbucket logs
      • Atlassian Cloud Admin Audit logs
      • Atlassian Jira logs
      • Attivo Networks BOTsink logs
      • Auth0 logs
      • Automation Anywhere logs
      • Avatier logs
      • Avaya Aura logs
      • Avigilon Access Control Manager logs
      • AWS Aurora logs
      • AWS CloudTrail logs
      • AWS CloudWatch logs
      • AWS Config logs
      • AWS Control Tower logs
      • AWS Elastic Load Balancing logs
      • AWS Elastic MapReduce logs
      • AWS GuardDuty logs
      • AWS IAM logs
      • AWS Key Management Service logs
      • AWS Macie logs
      • AWS Network Firewall logs
      • AWS RDS logs
      • AWS Route 53 logs
      • AWS S3 server access logs
      • AWS Security Hub logs
      • AWS Session Manager logs
      • AWS VPC Flow logs
      • AWS VPN logs
      • AWS WAF logs
      • Azion firewall logs
      • Azure AD Sign-In logs
      • Azure API Management logs
      • Azure APP Service logs
      • Azure Application Gateway logs
      • Azure Firewall logs
      • Azure Storage Audit logs
      • Azure VPN logs
      • Azure WAF logs
      • Barracuda CloudGen Firewall logs
      • Barracuda Email Security Gateway logs
      • Barracuda WAF logs
      • Barracuda Web Filter logs
      • BeyondTrust BeyondInsight logs
      • BeyondTrust EPM logs
      • BeyondTrust Privileged Identity logs
      • BeyondTrust Remote Support logs
      • BeyondTrust Secure Remote Access logs
      • Bitdefender logs
      • BloxOne Threat Defense logs
      • BlueCat DDI logs
      • BlueCat Edge logs
      • Blue Coat ProxySG logs
      • BMC Helix Discovery logs
      • Broadcom CA PAM logs
      • Broadcom SSL VA logs
      • Broadcom Symantec SiteMinder Web Access logs
      • Brocade ServerIron logs
      • Brocade switch logs
      • Cambium Networks logs
      • Carbon Black App Control logs
      • Carbon Black EDR logs
      • Cato Networks logs
      • Check Point Audit logs
      • Check Point EDR logs
      • Check Point firewall logs
      • Check Point Harmony
      • Check Point SmartDefense logs
      • CipherTrust Manager logs
      • CircleCI audit logs
      • Cisco Application Control Engine (ACE) logs
      • Cisco Firepower NGFW logs
      • Cisco Firewall Service Module (FWSM) logs
      • Cisco IronPort logs
      • Cisco IOS logs
      • Cisco ISE logs
      • Cisco Meraki logs
      • Cisco PIX logs
      • Cisco Prime logs
      • Cisco Router logs
      • Cisco Secure ACS logs
      • Cisco Secure Email Gateway logs
      • Cisco Stealthwatch logs
      • Cisco Switch logs
      • Cisco UCS logs
      • Cisco VCS logs
      • Cisco VPN logs
      • Cisco Web Security Applicance (WSA) logs
      • Cisco Wireless Intrusion Prevention System (WIPS) logs
      • Cisco Wireless LAN Controller (WLC) logs
      • Cisco Wireless Security Management (WiSM) logs
      • Cloud Identity Devices logs
      • Cloud Identity Device Users logs
      • Cloud Intrusion Detection System (Cloud IDS) logs
      • Context Access Aware data
      • Cloud Next Generation Firewall logs
      • Cloud Run logs
      • Cloud Storage Context logs
      • Cloudflare logs
      • Cloudflare WAF logs
      • CloudPassage Halo logs
      • Cohesity logs
      • Commvault logs
      • CommVault Backup and Recovery logs
      • Comodo AV logs
      • Corelight Sensor logs
      • CrowdStrike Falcon logs in CEF"
      • CrowdStrike Falcon Stream logs
      • CyberArk EPM logs
      • CyberArk PAM logs
      • CyberArk Privilege Cloud logs
      • CyberArk Privileged Threat Analytics logs
      • CyberX logs
      • Cylance PROTECT logs
      • Cyolo OT logs
    • Standard Parsers D - E - F - G
      • Datadog logs
      • Darktrace logs
      • Delinea PAM logs
      • Delinea Secret Server logs
      • Dell CyberSense logs
      • Dell ECS logs
      • Dell EMC Data Domain logs
      • Dell EMC Isilon NAS logs
      • Dell EMC PowerStore logs
      • Dell EMC PowerStore logs
      • Dell OpenManage logs
      • Dell switch logs
      • Digi Modems logs
      • Endpoint Protector DLP logs
      • Epic Systems logs
      • ESET AV logs
      • ESET EDR logs
      • F5 AFM logs
      • F5 ASM logs
      • F5 BIG-IP APM logs
      • F5 BIG-IP ASM logs
      • F5 BIG-IP LTM logs
      • F5 DNS logs
      • F5 VPN logs
      • Fastly WAF logs
      • Fidelis Network logs
      • FileZilla FTP logs
      • FireEye HX logs
      • FireEye NX logs
      • Forcepoint CASB logs
      • Forcepoint DLP logs
      • Forcepoint Proxy logs
      • Forescout NAC logs
      • ForgeRock OpenAM logs
      • Fortinet FortiAnalyzer logs
      • Fortinet FortiAuthenticator logs
      • Fortinet FortiMail logs
      • FortiWeb WAF logs
      • Fortra Digital Guardian DLP logs
      • GitHub audit logs
      • GitLab logs
      • Google Cloud IAM context logs
      • Google Cloud IoT logs
      • Google Cloud Compute context logs
      • Google Cloud Compute logs
      • Google Cloud IDS logs
      • Google Workspace Activity logs
    • Standard Parsers H - I - J - K
      • HAProxy logs
      • HashiCorp audit logs
      • HP ProCurve logs
      • HPE BladeSystem c7000 logs
      • IBM Verify Identity Access logs
      • Identity and Access Management (IAM) Analysis logs
      • Illumio Core logs
      • Imperva WAF logs
      • Infoblox logs
      • Jenkins logs
      • JFrog Artifactory logs
      • Juniper Junos logs
      • Juniper NetScreen Firewall logs
      • Kaseya Datto File Protection logs
      • Kaspersky AV logs
      • Kemp Load Balancer logs
    • Standard Parsers L - M - N
      • Lacework Cloud Security logs
      • LimaCharlie EDR logs
      • Linux auditd and AIX systems logs
      • ManageEngine AD360 logs
      • ManageEngine ADAudit Plus logs
      • McAfee Firewall Enterprise logs
      • McAfee Web Gateway logs
      • Micro Focus NetIQ Access Manager logs
      • Microsoft Azure Activity logs
      • Microsoft Azure AD logs
      • Microsoft Azure AD Audit logs
      • Microsoft Azure AD Context logs
      • Microsoft Azure DevOps audit logs
      • Microsoft SQL Server logs
      • Microsoft Azure Key Vault logging logs
      • Microsoft Defender for Cloud Alert logs
      • Microsoft Defender for Identity logs
      • Microsoft Exchange logs
      • Microsoft Graph Activity logs
      • Microsoft IIS logs
      • Microsoft Intune logs
      • Microsoft LAPS logs
      • Microsoft Sentinel logs
      • Microsoft Windows Defender ATP logs
      • Mimecast Mail logs
      • MISP IOC logs
      • MobileIron logs
      • MYSQL logs
      • Nasuni File Services Platform logs
      • NetApp ONTAP logs
      • NetApp SAN logs
      • Netgate pfSense logs
      • Netscaler logs
      • Netskope alert logs v1
      • Netskope alert logs v2
      • Netskope web proxy logs
      • NGINX logs
      • Nix Systems Red Hat logs
      • Nix Systems Ubuntu Server (Unix System) logs
      • Nokia Router logs
      • ntopng logs
      • Nutanix Prism logs
    • Standard Parsers O - P - Q - R
      • Okta logs
      • OneLogin Single Sign-On (SSO) logs
      • 1Password logs
      • 1Password audit logs
      • Onfido logs
      • OpenCanary logs
      • OPNsense firewall logs
      • Oracle DB logs
      • Palo Alto Cortex XDR alerts logs
      • Palo Alto Cortex XDR events logs
      • Palo Alto Networks IOC logs
      • Palo Alto Networks Traps logs
      • Palo Alto Prisma Cloud logs
      • Palo Alto Prisma Cloud alert logs
      • PowerShell logs
      • Proofpoint On-Demand logs
      • Proofpoint TAP alerts logs
      • Pulse Secure logs
      • Qualys asset context logs
      • Qualys Continuous Monitoring logs
      • Qualys Scan logs
      • Qualys Virtual Scanner logs
      • Qualys Vulnerability Management logs
      • Radware WAF logs
      • Rapid7 InsightIDR logs
      • reCAPTCHA Enterprise logs
      • RSA Authentication Manager logs
    • Standard Parsers S - T - U
      • Salesforce logs
      • SecureAuth Identity Platform logs
      • Secure Web Proxy logs
      • Security Command Center Error logs
      • Security Command Center Observation logs
      • Security Command Center Posture Violation logs
      • Security Command Center Toxic Combination logs
      • Security Command Center Unspecified logs
      • SentinelOne Deep Visibility logs
      • SentinelOne EDR logs
      • ServiceNow Security logs
      • Signal Sciences WAF logs
      • Skyhigh Security logs
      • Snort logs
      • Snowflake logs
      • SonicWall logs
      • Sophos Central logs
      • Sophos UTM logs
      • Sophos XG Firewall logs
      • Suricata Eve logs
      • Symantec CloudSOC CASB logs
      • Symantec DLP logs
      • Symantec EDR logs
      • Symantec Endpoint Protection logs
      • Symantec Event Export logs
      • Symantec VIP Authentication Hub logs
      • Symantec VIP Enterprise Gateway logs
      • Symantec Web Isolation logs
      • Synology logs
      • Sysdig logs
      • Thinkst Canary logs
      • ThreatConnect IOC logs
      • Trellix DLP logs
      • Trellix ePO logs
      • Trellix IPS logs
      • Trend Micro Apex One logs
      • Trend Micro Cloud One logs
      • Trend Micro DDI logs
      • Trend Micro Deep Security logs
      • Trend Micro Email Security logs
      • Trend Micro Vision One logs
      • Trend Micro Vision One Activity logs
      • Trend Micro Vision One Audit logs
      • Trend Micro Vision One Container Vulnerability logs
      • Trend Micro Vision Detections logs
      • Trend Micro Vision One Observed Attack Techniques logs
      • Trend Micro Vision One Workbench logs
      • Tripwire logs
      • Twingate VPN logs
    • Standard Parsers V - W - X - Y - Z
      • Varonis logs
      • VPC Flow logs
      • Versa Networks Secure Access Service Edge (SASE) logs
      • VMware ESXi logs
      • VMware Networking and Security Virtualization (NSX) Manager logs
      • VMware Workspace ONE UEM logs
      • WatchGuard Fireware logs
      • Wazuh logs
      • Wiz logs
      • Wordpress CMS logs
      • Workday HCM logs
  • Ingest entity data
  • Parsing
    • Overview of log parsing
    • Overview of the Unified Data Model
    • Manage prebuilt and custom parsers
    • Request prebuilt and create custom log types
    • Parser extensions
    • Parser extension examples
    • Important UDM fields for parser data mapping
    • Troubleshoot tips for writing parsers
    • Format log data as UDM
    • Auto Extraction overview
  • Overview of aliasing and UDM enrichment in Google Security Operations
  • Data enrichment
  • Monitoring and troubleshooting
    • Use Data ingestion and Health dashboard
    • Use Cloud Monitoring for ingestion notifications
    • Use silent-host monitoring
  • Use connectors
    • Ingest data using SOAR connectors
    • View connector logs
    • ElasticSearch connector: Map a custom date and time
    • Define environments in SOAR connectors
  • Using webhooks
    • Set up a webhook
  • Ontology
    • Ontology overview
    • Create entities (mapping and modeling)
    • View model family and field mapping
    • Visual families
    • Decide what events to configure
    • Configure mapping and assign visual families
    • Work with entity delimiters
  • Threat detection
  • Introduction to threat detection rules
    • View alerts and IOCs
    • Review potential security issues
    • Single event rules
    • Multiple event rules
    • Composite rules
  • Overview of composite detections
  • Monitor events using rules
    • View rules in the Rules Dashboard
    • Manage rules using the Rules Editor
    • View previous versions of a rule
    • Archive rules
    • Download events
    • Run a rule against live data
    • Run a rule against historical data
    • Set the run frequency
    • Detection limits
    • Rule errors
    • Use rules to filter events in a DataTap configuration
  • Create context-aware analytics
    • Overview
      • Overview
      • Rule errors
    • Use Sensitive Data Protection data in context-aware analytics
  • Use context-enriched data in rules
  • Use default detection rules
  • Use Risk Analytics
    • Risk Analytics Quickstart guide
    • Watchlist Quickstart guide
    • Overview of Risk Analytics
    • Use the Risk Analytics dashboard
    • Metric functions for Risk Analytics rules
    • Specify entity risk score in rules
    • Watchlists FAQ
    • Risk Analytics FAQ
  • Work with Google SecOps curated detections
    • Rules capacity
    • Use curated detections
    • Use curated detections to identify threats
    • Use curated detection rules for Third Party Vendor alerts
    • Overview of Cloud Threats category
    • Overview of Chrome Enterprise Threats category
    • Overview of Linux Threats category
    • Overview of the MacOS Threats category
    • Overview of Risk Analytics for UEBA category
    • Overview of Windows Threats category
    • Overview of Applied Threat Intelligence curated detections
    • Verify data ingestion using test rules
    • Configure rule exclusions
  • Threat Investigation
  • Investigate an alert
  • Investigate a GCTI alert
  • Searching for data
    • Search for events and alerts
    • Use context-enriched fields in search
    • Use search to investigate an entity
    • Use search time range and manage queries
    • Statistics and aggregations in search using YARA-L 2.0
    • Metrics in UDM search using YARA-L 2.0
    • Generate search queries with Gemini
    • Search best practices
    • Conduct a search for entity context data
    • Conduct a raw log search
    • Search raw logs using Raw Log Scan
    • Filter data in raw log search
    • Create a reference list
    • Use data tables
  • Using investigative views
    • Use investigative views
    • Investigate an asset
    • Work with asset namespaces
    • Investigate a domain
    • Investigate an IP address
    • Investigate a user
    • Investigate a file
    • View information from VirusTotal
  • Filtering data in investigative views
    • Overview of Procedural Filtering
    • Filter data in User view
    • Filter data in Asset view
    • Filter data in Domain view
    • Filter data in IP Address view
    • Filter data in Hash view
  • Threat intelligence
  • Applied Threat Intelligence
    • Introduction to Applied Threat Intelligence
    • Applied Threat Intelligence prioritization
    • View IOCs using Applied Threat Intelligence
    • IC score overview
    • Applied Threat Intelligence fusion feed overview
  • Answer Threat Intelligence questions with Gemini
  • Timestamp definitions
  • Cases and alert management
  • Cases
    • Cases overview
    • Cases page
    • Case Queue header
    • Case Overview tab
    • Create custom fields
    • Case Wall tab
    • Investigate cases with Gemini
    • Instant messages in a case
    • Manage tasks from the Cases page
    • Perform a manual action
    • Create a Quick Action (Admin)
    • Manage tags from the Cases page
    • Actions you can take on a case
    • Mark a case as an incident
    • Simulate cases
    • Create a test case
    • How to close cases
    • View the contents of closed cases
    • Using the Gemini Case summary widget
    • Define tags in cases (Admin)
    • Define default case view (Admin)
    • Add or delete case stages (Admin)
    • Use the Alert Options menu in the Cases page
    • View the original SIEM data in a case
    • Explore SOAR entities and alerts (Investigation)
    • Entity types that SOAR supports
    • Navigating the Entity Explorer page
    • Perform a batch action on several cases at once
    • Measure how long security analysts take to close or raise a case
    • Customize the Close Case dialog (Admin)
    • Define a case name (Admin)
    • Create a manual case
    • Move a case to a new environment
    • Add or edit entity properties
    • Apply and save filters
    • Entity selection
  • Alerts
    • View alert overview tab
    • View alert playbooks tab
    • View alert events tab
    • Change alert priority instead of case priority
    • Configure alert grouping
    • Configure alert overflow
    • Handle large alerts
    • Rerun playbooks
    • Define default alert view (Admin)
  • Workdesk
    • Explore Your Workdesk
    • Fill out a request from Your Workdesk
    • Respond to pending actions from Your Workdesk
    • View cases from Your Workdesk
  • Search and investigation
  • Search for a normalized event
    • Search for a event
    • Use context-enriched fields in search
    • Use search to investigate an entity
    • Search best practices
  • Search for raw events
    • Search raw logs
    • Filter data in raw log search
    • Create a reference list
  • Investigate an alert
  • Using investigative views
    • Use investigative views
    • Investigate an asset
    • Work with asset namespaces
    • Investigate a domain
    • Investigate an IP address
    • Investigate a user
    • Investigate a file
    • View information from VirusTotal
  • Filtering data in investigative views
    • Overview of Procedural Filtering
    • Filter data in User view
    • Filter data in Asset view
    • Filter data in Domain view
    • Filter data in IP Address view
    • Filter data in Hash view
  • Search
    • Work with the SOAR Search page
  • About the YARA-L language
    • YARA-L 2.0 language overview
    • YARA-L 2.0 language syntax
    • YARA-L best practices
  • Respond
  • Playbooks
    • Playbooks page
    • Use triggers in playbooks
    • Use actions in playbooks
    • Use flows in playbooks
    • Create and edit a playbook with Gemini
    • Use the Expression Builder
    • Work with the Playbook Simulator
    • Use the Playbook Navigator
    • Work with playbook blocks
    • Automate tasks with Playbook Loops
    • Understand playbook monitoring
    • Define customized alert views from playbook designer
    • Use an alert type trigger in a playbook
    • Bulk actions and filters in playbooks
    • Use the HTML widget
    • Scan multiple URLs in VirusTotal
    • Put elements of the case data into an email message
    • Scan URLs received by email
    • Send messages to a phone number
    • Attach playbooks to an alert
    • Use cases for Expression Builder
    • Assign actions and playbook blocks
    • Playbook icons legend
    • Configure timeouts for playbook async actions
    • Playbook permissions
    • Assign approval links in actions
    • Use parallel actions
    • Use predefined widgets in playbook views
    • Prevent users from changing playbooks
    • Send an email from Google SecOps
  • IDE
    • Use the IDE
  • Custom code and integrations
    • Set up integrations
      • Configure integrations
      • Upgrade the Python version to 3.11
      • Support multiple instances
      • Test integrations in staging mode
      • Work with an external vault system
    • Create a custom action
    • Build a custom integration
    • IDE custom code validation
    • Write jobs
    • My first custom integration
    • My first action
    • My first automation (playbook)
    • Create a custom connector
    • My first connector
    • Develop the connector
    • Configure the connector
    • Test the connector
    • Map and model alerts
    • My first use case
    • Response integrations community contribution guidelines
    • Requirements for publishing your first use case
  • Remote agents
    • What is a remote agent?
    • Requirements and prerequisites
    • Remote agent architecture
    • Remote agent scaling strategy
    • Manage remote agents
    • Create an agent with Docker
    • Create an agent with the installer on RHEL
    • Create an agent with the installer on CentOS
    • Upgrade agent Docker image
    • Upgrade an agent with the installer for RHEL
    • Upgrade an agent with the installer for CentOS
    • Edit a remote agent
    • Redeploy remote agent
    • Installer and Docker agent configuration
    • Data flows and protocols
    • Set up integrations and connectors
    • Test agents
    • Upgrade remote agents
    • Deploy high availability for remote agents
    • Redeploy Connectors
    • Troubleshooting
  • Incident Manager
    • Incident Manager overview
    • Open an incident from Incident Manager
    • Open Incident Manager from the Cases page
    • Define departments for Incident Manager
    • Define auditors in the Incident Manager
    • Define authorized environments
    • Invite collaborators to Incident Manager
    • Work with the Incident Manager dashboard
    • Use the workstation
    • Create an incident report
  • Dashboard and Reports
  • SOAR dashboards
    • SOAR Dashboards overview
    • Add new SOAR Dashboards
    • Add SOAR Dashboard widgets
    • Example: Add a new widget to a SOAR Dashboard
    • SOAR Dashboards page
  • SOAR reports
    • Understand SOAR reports
    • Use Advanced SOAR reports - Looker
    • Use Looker Explores in SOAR reports
    • Default Advanced SOAR reports in depth
    • Generate ROI reports in SOAR (SOC Managers)
    • Deep dive into four advanced reports in SOAR
  • SIEM reports and dashboards
    • Configure data export to BigQuery in a self-managed Google Cloud project
    • Work with dashboards
    • Create a custom dashboard
    • Add a chart visualization to a dashboard
    • Share a personal dashboard
    • Schedule dashboard reports
    • Use context-enriched data in reports
    • Import and export Google SecOps dashboards
  • Dashboards
    • Dashboards
    • Curated dashboards
      • Overview
      • PCI curated dashboards
      • Common curated dashboards
    • Manage dashboards
    • Manage charts in dashboards
    • Dashboard filters
    • Visualizations in search
  • User management
  • Control access to SecOps platform
  • Create a managed user
  • Create a collaborator user
  • Benefits of adding a collaborator user
  • Create a user with view-only permission
  • Types of user groups in Google SecOps
  • Delete a user account in Chronicle SOAR
  • Permissions, SOC roles and environments
    • Work with permission groups
    • Work with roles
    • Add a new environment
    • Use dynamic parameters in environments
    • Delete an environment
    • Allow access to other environments
    • Case Federation for Google SecOps
    • View users in Google SecOps
    • Set your time zone
    • Create environment groups
  • Data RBAC
    • Overview of data RBAC
    • Data RBAC impact on features
    • Configure data RBAC for users
    • Configure data RBAC for data tables
    • Configure data RBAC for reference lists
  • Administration
  • Tasks
    • View my SOAR customer ID
    • Collect SOAR logs
    • Work with API Keys in SOAR
    • Allow Google Support to access your platform
    • Define the landing page on login
    • Create a block list to exclude entities from SOAR alerts
    • Create custom lists
    • Create email HTML templates
    • Create email templates
    • Define domains for MSSPs
    • Manage environment load balancing
    • Define requests for users (Admin)
    • Manage networks
    • Set the SLA
    • Use dynamic variables in email HTML templates
    • Open a ticket for Google Support
    • Define system data retention
    • Monitor user activities
    • Rebrand overview
    • Set time zone for all users (Admin)
    • Set up your email
    • View and change service limits
    • Manage properties metadata
    • Retrieve raw Python logs
    • Google Analytics in Google SecOps
    • Data retention
    • Audit logs
    • Google SecOps CLI user guide
  • Google SecOps Content Hub
  • Use the Google SecOps Content Hub
  • Power Ups overview
    • Connectors
    • Email utilities
    • Enrichment
    • File utilities
    • Functions
    • GitSync
    • TemplateEngine
    • Insights
    • Lists
    • Tools
    • Run use cases
  • SIEM
  • SIEM standalone Table of Contents
  • Configure user preferences (SIEM only)
  • SOAR
  • SOAR standalone Table of Contents
  • Work with users (SOAR only)
    • Add a new user to the SOAR platform
    • Types of users
    • Email invitation prerequisites
    • Manage Google SecOps SOAR password settings
    • Case management federation (SOAR only)
    • Clean up after removing SOAR
    • Migrate to Google Cloud
  • SAML overview (SOAR only)
    • Authenticate users using SSO
    • SAML configuration for Google Workspace
    • SAML configuration for Microsoft Azure
    • SAML configuration for Okta
    • Just-in-time user provisioning
    • IdP group mapping (SOAR only)
    • Configure multiple SAML providers
  • Collect Google SecOps SOAR logs
  • SOAR Marketplace
    • SOAR Marketplace
  • AI and ML
  • Application development
  • Application hosting
  • Compute
  • Data analytics and pipelines
  • Databases
  • Distributed, hybrid, and multicloud
  • Generative AI
  • Industry solutions
  • Networking
  • Observability and monitoring
  • Security
  • Storage
  • Access and resources management
  • Costs and usage management
  • Google Cloud SDK, languages, frameworks, and tools
  • Infrastructure as code
  • Migration
  • Google Cloud Home
  • Free Trial and Free Tier
  • Architecture Center
  • Blog
  • Contact Sales
  • Google Cloud Developer Center
  • Google Developer Center
  • Google Cloud Marketplace
  • Google Cloud Marketplace Documentation
  • Google Cloud Skills Boost
  • Google Cloud Solution Center
  • Google Cloud Support
  • Google Cloud Tech Youtube Channel
  • Home
  • Google Security Operations
  • Documentation
  • Guides
Stay organized with collections Save and categorize content based on your preferences.

Visualizations in search

Supported in:
Google secops SIEM

You can save the visualizations created in search to either new or existing dashboards. For more information, see Visualizations in search.

Need more help? Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-30 UTC.

  • Why Google

    • Choosing Google Cloud
    • Trust and security
    • Modern Infrastructure Cloud
    • Multicloud
    • Global infrastructure
    • Customers and case studies
    • Analyst reports
    • Whitepapers

  • Products and pricing

    • See all products
    • See all solutions
    • Google Cloud for Startups
    • Google Cloud Marketplace
    • Google Cloud pricing
    • Contact sales

  • Support

    • Google Cloud Community
    • Support
    • Release Notes
    • System status

  • Resources

    • GitHub
    • Getting Started with Google Cloud
    • Google Cloud documentation
    • Code samples
    • Cloud Architecture Center
    • Training and Certification
    • Developer Center

  • Engage

    • Blog
    • Events
    • X (Twitter)
    • Google Cloud on YouTube
    • Google Cloud Tech on YouTube
    • Become a Partner
    • Google Cloud Affiliate Program
    • Press Corner
  • About Google
  • Privacy
  • Site terms
  • Google Cloud terms
  • Manage cookies
  • Our third decade of climate action: join us
  • Sign up for the Google Cloud newsletter Subscribe
  • English
  • Deutsch
  • Español – América Latina
  • Français
  • Indonesia
  • Italiano
  • Português – Brasil
  • 中文 – 简体
  • 中文 – 繁體
  • 日本語
  • 한국어