Skip to main content
Google Cloud
Documentation Technology areas
  • AI and ML
  • Application development
  • Application hosting
  • Compute
  • Data analytics and pipelines
  • Databases
  • Distributed, hybrid, and multicloud
  • Generative AI
  • Industry solutions
  • Networking
  • Observability and monitoring
  • Security
  • Storage
Cross-product tools
  • Access and resources management
  • Costs and usage management
  • Google Cloud SDK, languages, frameworks, and tools
  • Infrastructure as code
  • Migration
Related sites
  • Google Cloud Home
  • Free Trial and Free Tier
  • Architecture Center
  • Blog
  • Contact Sales
  • Google Cloud Developer Center
  • Google Developer Center
  • Google Cloud Marketplace
  • Google Cloud Marketplace Documentation
  • Google Cloud Skills Boost
  • Google Cloud Solution Center
  • Google Cloud Support
  • Google Cloud Tech Youtube Channel
/
  • English
  • Deutsch
  • Español – América Latina
  • Français
  • Indonesia
  • Italiano
  • Português – Brasil
  • 中文 – 简体
  • 中文 – 繁體
  • 日本語
  • 한국어
Console Sign in
  • Google Security Operations
Guides Reference Resources
Contact Us Start free
Google Cloud
  • Documentation
    • Guides
    • Reference
    • Resources
  • Technology areas
    • More
  • Cross-product tools
    • More
  • Related sites
    • More
  • Console
  • Contact Us
  • Start free
  • Overview
  • All Security Operations topics
  • Google SecOps overview
  • What's new in Google SecOps?
  • Release plan for Google SecOps
  • Log in to Google Security Operations
  • Navigate the Google SecOps platform
  • Understand the Google SecOps platform
  • Configure user preferences
  • Gemini in SecOps
  • Gemini documentation summaries
  • Onboarding
  • Onboard a Google SecOps instance
  • Configure a Google Cloud project for Google SecOps
  • Configure a Google Cloud identity provider
  • Configure a third-party identity provider
  • Link a Google SecOps instance to Google Cloud services
  • Configure feature access control using IAM
  • Configure data RBAC using IAM
  • RBAC user guide for applications not using IAM
  • Map users in the Google SecOps platform using Google Cloud identity
  • Map users with multiple control access parameters
  • Map users in the Google SecOps platform using IdP groups
  • User management
  • Add SIEM or SOAR users to Google SecOps
  • Quickstart: Conduct a search
  • Quickstart: Investigate an alert
  • Customer-initiated deprovisioning for Google SecOps
  • Data Collection
  • Ingestion
    • Google SecOps data ingestion
    • Overview of data ingestion
    • Content Hub overview
    • Supported data sets and default parsers
    • Ingest data to Google SecOps
      • Install and configure forwarders
        • Install and configure the forwarder
        • Manage forwarder configurations through the UI
        • Manage forwarder configurations manually
        • Google SecOps forwarder executable for Windows
        • Troubleshoot common Linux forwarder issues
    • Bindplane collection agent
      • Use the Bindplane agent
      • Configure Bindplane for Silent Host Monitoring
    • Set up data feeds
      • Feed management overview
      • Use the feed management application
      • Create an Azure Event Hub feed
      • Use the feed management API
    • Use ingestion scripts deployed as Cloud Functions
    • Use the Ingestion API
    • Configure burst limits
  • Overview of Google SecOps data in BigQuery
  • Ingest Google Cloud data to Google SecOps
  • Default parsers
    • Default parser list
    • Premium parsers
      • Collect Apigee logs
      • Collect AWS EC2 Hosts logs
      • Collect AWS EC2 Instance logs
      • Collect Chrome management logs
      • Collect Cisco ASA firewall logs
      • Collect Context Resource Parsers
      • Collect CrowdStrike Falcon logs
      • Collect Duo Activity logs
      • Collect Fluentd logs
      • Collect Fortinet Firewall logs
      • Ingest Google Cloud data to Google Security Operations
      • Collect Google Cloud Audit Logs
      • Collect Google Cloud DNS logs
      • Collect Google Cloud Firewall logs
      • Collect Google Cloud Load Balancing logs
      • Collect Google Cloud NAT logs
      • Collect Google Kubernetes Engine (GKE) logs
      • Collect Google Cloud SQL logs
      • Collect Google Workspace logs
      • Collect Jamf Protect logs
      • Collect Jamf Telemetry logs
      • Collect Jamf Protect Telemetry v2 logs
      • Collect Jamf Threat Events logs
      • Collect Microsoft 365 logs
      • Collect Microsoft Defender for Endpoint logs
      • Collect Microsoft Graph API alerts logs
      • Collect Microsoft Windows AD logs
      • Collect Microsoft Windows DHCP logs
      • Collect Microsoft Windows DNS logs
      • Collect Microsoft Windows Event logs
      • Collect Microsoft Windows Sysmon logs
      • Collect NIX System logs
      • Collect OCSF logs
      • Collect OSSEC logs
      • Collect osquery logs
      • Collect Palo Alto Networks firewall logs
      • Collect Security Command Center findings
      • Collect SentinelOne Alert logs
      • Collect SentinelOne Cloud Funnel logs
      • Collect Splunk CIM logs
      • Collect Zeek (Bro) logs
      • Collect Zscaler CASB logs
      • Zscaler parsers overview
      • Collect Zscaler Deception logs
      • COllect Zscaler DLP logs
      • Collect Zscaler DNS logs
      • Collect Zscaler Firewall logs
      • Collect Zscaler Internet Access logs
      • Collect Zscaler Tunnel logs
      • Collect Zscaler VPN logs
      • Collect Zscaler Web Proxy logs
      • Collect Zscaler ZPA logs
      • Collect Zscaler ZPA Audit logs
      • Collect Zeek (Bro) logs
    • Standard Parsers A - B - C
      • Collect A10 Network Load Balancer logs
      • Collect Abnormal Security logs
      • Collect Acalvio logs
      • Collect Akamai DNS logs
      • Collect Akamai WAF logs
      • Collect Akeyless Vault logs
      • Collect Alcatel switch logs
      • Collect AlgoSec Security Management logs
      • Collect Amazon CloudFront logs
      • Collect Ansible AWX logs
      • Collect Apache logs
      • Collect Apache Cassandra logs
      • Collect Apache Tomcat logs
      • Collect Apple macOS syslog data
      • Collect Aqua Security logs
      • Collect Arbor Edge Defense logs
      • Collect Archer IRM logs
      • Collect ArcSight CEF logs
      • Collect Arista switch logs
      • Collect Area 1 logs
      • Collect Aruba ClearPass logs
      • Collect Aruba EdgeConnect SD-WAN logs
      • Collect Aruba switch logs
      • Collect Aruba Wireless Controller and Access Point logs
      • Collect Atlassian Bitbucket logs
      • Collect Atlassian Jira logs
      • Collect Attivo Networks BOTsink logs
      • Collect Auth0 logs
      • Collect Automation Anywhere logs
      • Collect Avaya Aura logs
      • Collect AWS Aurora logs
      • Collect AWS CloudTrail logs
      • Collect AWS CloudWatch logs
      • Collect AWS Config logs
      • Collect AWS Control Tower logs
      • Collect AWS Elastic Load Balancing logs
      • Collect AWS Elastic MapReduce logs
      • Collect AWS GuardDuty logs
      • Collect AWS IAM logs
      • Collect AWS Key Management Service logs
      • Collect AWS Macie logs
      • Collect AWS Network Firewall logs
      • Collect AWS RDS logs
      • Collect AWS Route 53 logs
      • Collect AWS S3 server access logs
      • Collect AWS Security Hub logs
      • Collect AWS Session Manager logs
      • Collect AWS VCP Flow logs
      • Collect AWS VPN logs
      • Collect AWS WAF logs
      • Collect Azion firewall logs
      • Collect Azure AD Sign-In logs
      • Collect Azure API Management logs
      • Collect Azure APP Service logs
      • Collect Azure Application Gateway logs
      • Collect Azure Firewall logs
      • Collect Azure Storage Audit logs
      • Collect Azure VPN logs
      • Collect Azure WAF logs
      • Collect Barracuda Email Security Gateway logs
      • Collect Barracuda WAF logs
      • Collect BeyondTrust BeyondInsight logs
      • Collect BeyondTrust EPM logs
      • Collect BeyondTrust Privileged Identity logs
      • Collect BeyondTrust Remote Support logs
      • Collect BeyondTrust Secure Remote Access logs
      • Collect Bitdefender logs
      • Collect BloxOne Threat Defense logs
      • Collect BlueCat DDI logs
      • Collect BlueCat Edge logs
      • Collect Blue Coat ProxySG logs
      • Collect BMC Helix Discovery logs
      • Collect Broadcom CA PAM logs
      • Collect Broadcom SSL VA logs
      • Collect Broadcom Symantec SiteMinder Web Access logs
      • Collect Brocade ServerIron logs
      • Collect Brocade switch logs
      • Collect Cambium Networks logs
      • Collect Carbon Black App Control logs
      • Collect Carbon Black EDR logs
      • Collect Cato Networks logs
      • Collect Check Point Audit logs
      • Collect Check Point EDR logs
      • Collect Check Point firewall logs
      • Collect Check Point Harmony
      • Collect Check Point SmartDefense logs
      • Collect context access aware data
      • Collect CircleCI audit logs
      • Collect Cisco IOS logs
      • Collect Cisco ISE logs
      • Collect Cisco Meraki logs
      • Collect Cisco Router logs
      • Collect Cisco Secure ACS logs
      • Collect Cisco Secure Email Gateway logs
      • Collect Cisco Stealthwatch logs
      • Collect Cisco Switch logs
      • Collect Cisco UCS logs
      • Collect Google Cloud Compute context logs
      • Collect Google Cloud Compute logs
      • Collect Cloud Identity Devices logs
      • Collect Cloud Identity Device Users logs
      • Collect Cloud Intrusion Detection System (Cloud IDS) logs
      • Collect Google Cloud IoT logs
      • Collect Identity and Access Management (IAM) Analysis logs
      • Collect Cloud Next Generation Firewall logs
      • Collect Cloud Run logs
      • Collect Security Command Center Error logs
      • Collect Security Command Center Observation logs
      • Collect Security Command Center Posture Violation logs
      • Collect Security Command Center Toxic Combination logs
      • Collect Security Command Center Unspecified logs
      • Collect Cloud Storage context logs
      • Collect Secure Web Proxy logs
      • Collect VPC Flow logs
      • Collect Cloudflare logs
      • Collect Cloudflare WAF logs
      • Collect CloudPassage Halo logs
      • Collect Cohesity logs
      • Collect Commvault logs
      • Collect CommVault Backup and Recovery logs
      • Collect Comodo AV logs
      • Collect Corelight Sensor logs
      • Collect CrowdStrike Falcon logs in CEF"
      • Collect CrowdStrike Falcon Stream logs
      • Collect CyberArk EPM logs
      • Collect CyberArk PAM logs
      • Collect CyberArk Privilege Cloud logs
      • Collect CyberArk Privileged Threat Analytics logs
      • Collect CyberX logs
      • Collect Cylance PROTECT logs
      • Collect Cyolo OT logs
    • Standard Parsers D - E - F - G
      • Collect Datadog logs
      • Collect Darktrace logs
      • Collect Delinea PAM logs
      • Collect Delinea Secret Server logs
      • Collect Dell CyberSense logs
      • Collect Dell ECS logs
      • Collect Dell EMC Data Domain logs
      • Collect Dell EMC Isilon NAS logs
      • Collect Dell EMC PowerStore logs
      • Collect Dell EMC PowerStore logs
      • Collect Dell OpenManage logs
      • Collect Dell switch logs
      • Collect Digi Modems logs
      • Collect Endpoint Protector DLP logs
      • Collect Epic Systems logs
      • Collect ESET AV logs
      • Collect ESET EDR logs
      • Collect F5 AFM logs
      • Collect F5 ASM logs
      • Collect F5 BIG-IP APM logs
      • Collect F5 BIG-IP ASM logs
      • Collect F5 BIG-IP LTM logs
      • Collect F5 DNS logs
      • Collect F5 VPN logs
      • Collect Fastly WAF logs
      • Collect Fidelis Network logs
      • Collect FileZilla FTP logs
      • Collect FireEye HX logs
      • Collect FireEye NX logs
      • Collect Forcepoint CASB logs
      • Collect Forcepoint DLP logs
      • Collect Forcepoint Proxy logs
      • Collect Forescout NAC logs
      • Collect ForgeRock OpenAM logs
      • Collect Fortinet FortiAnalyzer logs
      • Collect Fortinet FortiAuthenticator logs
      • Collect Fortinet FortiMail logs
      • Collect FortiWeb WAF logs
      • Collect Fortra Digital Guardian DLP logs
      • Collect GitHub audit logs
      • Collect GitLab logs
      • Collect Google Audit logs
      • Collect Google Workspace Activity logs
    • Standard Parsers H - I - J - K
      • Collect HAProxy logs
      • Collect HashiCorp audit logs
      • Collect HP ProCurve logs
      • Collect HPE BladeSystem c7000 logs
      • Collect IBM Verify Identity Access logs
      • Collect Illumio Core logs
      • Collect Imperva WAF logs
      • Collect Infoblox logs
      • Collect Jenkins logs
      • Collect JFrog Artifactory logs
      • Collect Juniper Junos logs
      • Collect Juniper NetScreen Firewall logs
      • Collect Kaseya Datto File Protection logs
      • Collect Kaspersky AV logs
      • Collect Kemp Load Balancer logs
    • Standard Parsers L - M - N
      • Collect Lacework Cloud Security logs
      • Collect LimaCharlie EDR logs
      • Collect Linux auditd and AIX systems logs
      • Collect ManageEngine AD360 logs
      • Collect ManageEngine ADAudit Plus logs
      • Collect McAfee Firewall Enterprise logs
      • Collect McAfee Web Gateway logs
      • Collect Micro Focus NetIQ Access Manager logs
      • Collect Microsoft Azure Activity logs
      • Collect Microsoft Azure AD logs
      • Collect Microsoft Azure AD Audit logs
      • Collect Microsoft Azure AD Context logs
      • Collect Microsoft Azure DevOps audit logs
      • Collect Microsoft SQL Server logs
      • Collect Microsoft Azure Key Vault logging logs
      • Collect Microsoft Defender for Cloud Alert logs
      • Collect Microsoft Defender for Identity logs
      • Collect Microsoft Exchange logs
      • Collect Microsoft Graph Activity logs
      • Collect Microsoft IIS logs
      • Collect Microsoft Intune logs
      • Collect Microsoft LAPS logs
      • Collect Microsoft Sentinel logs
      • Collect Microsoft Windows Defender ATP logs
      • Collect Mimecast Mail logs
      • Collect MISP IOC logs
      • Collect MobileIron logs
      • Collect MYSQL logs
      • Collect Nasuni File Services Platform logs
      • Collect NetApp ONTAP logs
      • Collect NetApp SAN logs
      • Collect Netgate pfSense logs
      • Collect Netscaler logs
      • Collect Netskope alert logs v1
      • Collect Netskope alert logs v2
      • Collect Netskope web proxy logs
      • Collect NGINX logs
      • Collect Nix Systems Red Hat logs
      • Collect Nix Systems Ubuntu Server (Unix System) logs
      • Collect Nokia Router logs
      • Collect ntopng logs
      • Collect Nutanix Prism logs
    • Standard Parsers O - P - Q - R
      • Collect Okta logs
      • Collect OneLogin Single Sign-On (SSO) logs
      • Collect 1Password logs
      • Collect 1Password audit logs
      • Collect Onfido logs
      • Collect OpenCanary logs
      • Collect OPNsense firewall logs
      • Collect Oracle DB logs
      • Collect Palo Alto Cortex XDR alerts logs
      • Collect Palo Alto Cortex XDR events logs
      • Collect Palo Alto Networks IOC logs
      • Collect Palo Alto Networks Traps logs
      • Collect Palo Alto Prisma Cloud logs
      • Collect Palo Alto Prisma Cloud alert logs
      • Collect PowerShell logs
      • Collect Proofpoint On-Demand logs
      • Collect Proofpoint TAP alerts logs
      • Collect Pulse Secure logs
      • Collect Qualys asset context logs
      • Collect Qualys Continuous Monitoring logs
      • Collect Qualys Scan logs
      • Collect Qualys Virtual Scanner logs
      • Collect Qualys Vulnerability Management logs
      • Collect Radware WAF logs
      • Collect Rapid7 InsightIDR logs
      • Collect reCAPTCHA Enterprise logs
      • Collect RSA Authentication Manager logs
    • Standard Parsers S - T - U
      • Collect Salesforce logs
      • Collect SecureAuth Identity Platform logs
      • Collect SentinelOne Deep Visibility logs
      • Collect SentinelOne EDR logs
      • Collect ServiceNow Security logs
      • Collect Signal Sciences WAF logs
      • Collect Skyhigh Security logs
      • Collect Snort logs
      • Collect Snowflake logs
      • Collect SonicWall logs
      • Collect Sophos Central logs
      • Collect Sophos UTM logs
      • Collect Sophos XG Firewall logs
      • Collect Suricata Eve logs
      • Collect Symantec CloudSOC CASB logs
      • Collect Symantec DLP logs
      • Collect Symantec EDR logs
      • Collect Symantec Endpoint Protection logs
      • Collect Symantec Event Export logs
      • Collect Symantec VIP Authentication Hub logs
      • Collect Symantec VIP Enterprise Gateway logs
      • Collect Symantec Web Isolation logs
      • Collect Synology logs
      • Collect Sysdig logs
      • Collect Thinkst Canary logs
      • Collect ThreatConnect IOC logs
      • Collect Trellix DLP logs
      • Collect Trellix ePO logs
      • Collect Trellix IPS logs
      • Collect Trend Micro Apex One logs
      • Collect Trend Micro Cloud One logs
      • Collect Trend Micro DDI logs
      • Collect Trend Micro Deep Security logs
      • Collect Trend Micro Email Security logs
      • Collect Trend Micro Vision One logs
      • Collect Trend Micro Vision One Activity logs
      • Collect Trend Micro Vision One Audit logs
      • Collect Trend Micro Vision One Container Vulnerability logs
      • Collect Trend Micro Vision Detections logs
      • Collect Trend Micro Vision One Observed Attack Techniques logs
      • Collect Trend Micro Vision One Workbench logs
      • Collect Tripwire logs
      • Collect Twingate VPN logs
    • Standard Parsers V - W - X - Y - Z
      • Collect Varonis logs
      • Collect Versa Networks Secure Access Service Edge (SASE) logs
      • Collect VMware ESXi logs
      • Collect VMware Networking and Security Virtualization (NSX) Manager logs
      • Collect VMware Workspace ONE UEM logs
      • Collect WatchGuard Fireware logs
      • Collect Wazuh logs
      • Collect Wiz logs
      • Collect Wordpress CMS logs
      • Collect Workday HCM logs
  • Ingest entity data
  • Parsing
    • Overview of log parsing
    • Overview of the Unified Data Model
    • Manage prebuilt and custom parsers
    • Request prebuilt and create custom log types
    • Parser extensions
    • Parser extension examples
    • Important UDM fields for parser data mapping
    • Troubleshoot tips for writing parsers
    • Format log data as UDM
    • Auto Extraction overview
  • Data enrichment
  • Monitoring and troubleshooting
    • Use Data ingestion and Health dashboard
    • Use Cloud Monitoring for ingestion notifications
  • Use connectors
    • Ingest data using SOAR connectors
    • View connector logs
    • ElasticSearch connector: Map a custom date and time
    • Define environments in SOAR connectors
  • Using webhooks
    • Set up a webhook
  • Ontology
    • Ontology overview
    • Create entities (mapping and modeling)
    • View model family and field mapping
    • Visual families
    • Decide what events to configure
    • Configure mapping and assign visual families
    • Work with entity delimiters
  • Threat detection
  • Introduction to threat detection rules
    • View alerts and IOCs
    • Review potential security issues
    • Single event rules
    • Multiple event rules
    • Composite rules
  • Overview of composite detections
  • Monitor events using rules
    • View rules in the Rules Dashboard
    • Manage rules using the Rules Editor
    • View previous versions of a rule
    • Archive rules
    • Download events
    • Run a rule against live data
    • Run a rule against historical data
    • Set the run frequency
    • Detection limits
    • Rule errors
    • Use rules to filter events in a DataTap configuration
  • Create context-aware analytics
    • Overview
      • Overview
      • Rule errors
    • Use Sensitive Data Protection data in context-aware analytics
  • Use context-enriched data in rules
  • Use default detection rules
  • Use Risk Analytics
    • Risk Analytics Quickstart guide
    • Watchlist Quickstart guide
    • Overview of Risk Analytics
    • Use the Risk Analytics dashboard
    • Metric functions for Risk Analytics rules
    • Specify entity risk score in rules
    • Watchlists FAQ
    • Risk Analytics FAQ
  • Work with Google SecOps curated detections
    • Rules capacity
    • Use curated detections
    • Use curated detections to identify threats
    • Overview of Cloud Threats category
    • Overview of Chrome Enterprise Threats category
    • Overview of Linux Threats category
    • Overview of the MacOS Threats category
    • Overview of Risk Analytics for UEBA category
    • Overview of Windows Threats category
    • Overview of Applied Threat Intelligence curated detections
    • Verify data ingestion using test rules
    • Configure rule exclusions
  • Threat Investigation
  • Investigate an alert
  • Investigate a GCTI alert
  • Searching for data
    • Search for events and alerts
    • Use context-enriched fields in search
    • Use search to investigate an entity
    • Use search time range and manage queries
    • Statistics and aggregations in search using YARA-L 2.0
    • Generate search queries with Gemini
    • Search best practices
    • Conduct a search for entity context data
    • Conduct a raw log search
    • Search raw logs using Raw Log Scan
    • Filter data in raw log search
    • Create a reference list
    • Use data tables
  • Using investigative views
    • Use investigative views
    • Investigate an asset
    • Work with asset namespaces
    • Investigate a domain
    • Investigate an IP address
    • Investigate a user
    • Investigate a file
    • View information from VirusTotal
  • Filtering data in investigative views
    • Overview of Procedural Filtering
    • Filter data in User view
    • Filter data in Asset view
    • Filter data in Domain view
    • Filter data in IP Address view
    • Filter data in Hash view
  • Threat intelligence
  • Applied Threat Intelligence
    • Introduction to Applied Threat Intelligence
    • Applied Threat Intelligence prioritization
    • View IOCs using Applied Threat Intelligence
    • IC score overview
    • Applied Threat Intelligence fusion feed overview
  • Answer Threat Intelligence questions with Gemini
  • Timestamp definitions
  • Cases and alert management
  • Cases
    • Cases overview
    • Cases page
    • Case Queue header
    • Case Overview tab
    • Create custom fields
    • Case Wall tab
    • Investigate cases with Gemini
    • Instant messages in a case
    • Manage tasks from the Cases page
    • Perform a manual action
    • Create a Quick Action (Admin)
    • Manage tags from the Cases page
    • Actions you can take on a case
    • Mark a case as an incident
    • Simulate cases
    • Create a test case
    • How to close cases
    • View the contents of closed cases
    • Using the Gemini Case summary widget
    • Define tags in cases (Admin)
    • Define default case view (Admin)
    • Add or delete case stages (Admin)
    • Use the Alert Options menu in the Cases page
    • View the original SIEM data in a case
    • Explore SOAR entities and alerts (Investigation)
    • Entity types that SOAR supports
    • Navigating the Entity Explorer page
    • Perform a batch action on several cases at once
    • Measure how long security analysts take to close or raise a case
    • Customize the Close Case dialog (Admin)
    • Define a case name (Admin)
    • Create a manual case
    • Move a case to a new environment
    • Add or edit entity properties
    • Apply and save filters
    • Entity selection
  • Alerts
    • View alert overview tab
    • View alert playbooks tab
    • View alert events tab
    • Change alert priority instead of case priority
    • Configure alert grouping
    • Configure alert overflow
    • Handle large alerts
    • Rerun playbooks
    • Define default alert view (Admin)
  • Workdesk
    • Explore Your Workdesk
    • Fill out a request from Your Workdesk
    • Respond to pending actions from Your Workdesk
    • View cases from Your Workdesk
  • Search and investigation
  • Search for a normalized event
    • Search for a event
    • Use context-enriched fields in search
    • Use search to investigate an entity
    • Search best practices
  • Search for raw events
    • Search raw logs
    • Filter data in raw log search
    • Create a reference list
  • Investigate an alert
  • Using investigative views
    • Use investigative views
    • Investigate an asset
    • Work with asset namespaces
    • Investigate a domain
    • Investigate an IP address
    • Investigate a user
    • Investigate a file
    • View information from VirusTotal
  • Filtering data in investigative views
    • Overview of Procedural Filtering
    • Filter data in User view
    • Filter data in Asset view
    • Filter data in Domain view
    • Filter data in IP Address view
    • Filter data in Hash view
  • Search
    • Work with the SOAR Search page
  • About the YARA-L language
    • YARA-L 2.0 language overview
    • YARA-L 2.0 language syntax
    • YARA-L best practices
  • Respond
  • Playbooks
    • Playbooks page
    • Use triggers in playbooks
    • Use actions in playbooks
    • Use flows in playbooks
    • Create and edit a playbook with Gemini
    • Use the Expression Builder
    • Work with the Playbook Simulator
    • Use the Playbook Navigator
    • Work with playbook blocks
    • Understand playbook monitoring
    • Define customized alert views from playbook designer
    • Use an alert type trigger in a playbook
    • Bulk actions and filters in playbooks
    • Use the HTML widget
    • Scan multiple URLs in VirusTotal
    • Put elements of the case data into an email message
    • Scan URLs received by email
    • Send messages to a phone number
    • Attach playbooks to an alert
    • Use cases for Expression Builder
    • Assign actions and playbook blocks
    • Playbook icons legend
    • Configure timeouts for playbook async actions
    • Playbook permissions
    • Assign approval links in actions
    • Use parallel actions
    • Use predefined widgets in playbook views
    • Prevent users from changing playbooks
    • Send an email from Google SecOps
  • IDE
    • Use the IDE
  • Custom code and integrations
    • Set up integrations
      • Configure integrations
      • Upgrade the Python version to 3.11
      • Support multiple instances
      • Test integrations in staging mode
      • Work with an external vault system
    • Create a custom action
    • Build a custom integration
    • IDE custom code validation
    • Write jobs
    • My first custom integration
    • My first action
    • My first automation (playbook)
    • Create a custom connector
    • My first connector
    • Develop the connector
    • Configure the connector
    • Test the connector
    • Map and model alerts
    • My first use case
    • Requirements for publishing your first use case
  • Remote agents
    • What is a remote agent?
    • Requirements and prerequisites
    • Remote agent architecture
    • Remote agent scaling strategy
    • Manage remote agents
    • Create an agent with Docker
    • Create an agent with the installer on RHEL
    • Create an agent with the installer on CentOS
    • Upgrade agent Docker image
    • Upgrade an agent with the installer for RHEL
    • Upgrade an agent with the installer for CentOS
    • Edit a remote agent
    • Redeploy remote agent
    • Installer and Docker agent configuration
    • Data flows and protocols
    • Set up integrations and connectors
    • Test agents
    • Upgrade remote agents
    • Deploy high availability for remote agents
    • Redeploy Connectors
    • Troubleshooting
  • Incident Manager
    • Incident Manager overview
    • Open an incident from Incident Manager
    • Open Incident Manager from the Cases page
    • Define departments for Incident Manager
    • Define auditors in the Incident Manager
    • Define authorized environments
    • Invite collaborators to Incident Manager
    • Work with the Incident Manager dashboard
    • Use the workstation
    • Create an incident report
  • Dashboard and Reports
  • SOAR dashboards
    • SOAR Dashboards overview
    • Add new SOAR Dashboards
    • Add SOAR Dashboard widgets
    • Example: Add a new widget to a SOAR Dashboard
    • SOAR Dashboards page
  • SOAR reports
    • Understand SOAR reports
    • Use Advanced SOAR reports - Looker
    • Use Looker Explores in SOAR reports
    • Default Advanced SOAR reports in depth
    • Generate ROI reports in SOAR (SOC Managers)
    • Deep dive into four advanced reports in SOAR
  • SIEM reports and dashboards
    • Configure data export to BigQuery in a self-managed Google Cloud project
    • Work with dashboards
    • Create a custom dashboard
    • Add a chart visualization to a dashboard
    • Share a personal dashboard
    • Schedule dashboard reports
    • Use context-enriched data in reports
    • Import and export Google SecOps dashboards
  • Dashboards
    • Dashboards
    • Curated dashboards
      • Overview
      • PCI curated dashboards
      • Common curated dashboards
    • Manage dashboards
    • Manage charts in dashboards
    • Dashboard filters
    • Visualizations in search
  • User management
  • Control access to SecOps platform
  • Create a managed user
  • Create a collaborator user
  • Benefits of adding a collaborator user
  • Create a user with view-only permission
  • Types of user groups in Google SecOps
  • Delete a user account in Chronicle SOAR
  • Permissions, SOC roles and environments
    • Work with permission groups
    • Work with roles
    • Add a new environment
    • Use dynamic parameters in environments
    • Delete an environment
    • Allow access to other environments
    • Case Federation for Google SecOps
    • View users in Google SecOps
    • Set your time zone
    • Create environment groups
  • Data RBAC
    • Overview of data RBAC
    • Data RBAC impact on features
    • Configure data RBAC for users
    • Configure data RBAC for data tables
    • Configure data RBAC for reference lists
  • Administration
  • Tasks
    • Migrate to Google Cloud
    • View my SOAR customer ID
    • Collect SOAR logs
    • Work with API Keys in SOAR
    • Allow Google Support to access your platform
    • Define the landing page on login
    • Create a block list to exclude entities from SOAR alerts
    • Create custom lists
    • Create email HTML templates
    • Create email templates
    • Define domains for MSSPs
    • Manage environment load balancing
    • Define requests for users (Admin)
    • Manage networks
    • Set the SLA
    • Use dynamic variables in email HTML templates
    • Open a ticket for Google Support
    • Define system data retention
    • Monitor user activities
    • Rebrand overview
    • Set time zone for all users (Admin)
    • Set up your email
    • View and change service limits
    • Manage properties metadata
    • Retrieve raw Python logs
    • Google Analytics in Google SecOps
    • Data retention
    • Audit logs
    • Google SecOps CLI user guide
  • Google SecOps Content Hub
  • Use the Google SecOps Content Hub
  • Power Ups overview
    • Connectors
    • Email utilities
    • Enrichment
    • File utilities
    • Functions
    • GitSync
    • TemplateEngine
    • Insights
    • Lists
    • Tools
    • Run use cases
  • SIEM
  • SIEM standalone Table of Contents
  • Configure user preferences (SIEM only)
  • SOAR
  • SOAR standalone Table of Contents
  • Work with users (SOAR only)
    • Add a new user to the SOAR platform
    • Types of users
    • Email invitation prerequisites
    • Manage Google SecOps SOAR password settings
    • Case management federation (SOAR only)
    • Clean up after removing SOAR
  • SAML overview (SOAR only)
    • Authenticate users using SSO
    • SAML configuration for Google Workspace
    • SAML configuration for Microsoft Azure
    • SAML configuration for Okta
    • Just-in-time user provisioning
    • IdP group mapping (SOAR only)
    • Configure multiple SAML providers
  • Collect Google SecOps SOAR logs
  • SOAR Marketplace
    • SOAR Marketplace
  • AI and ML
  • Application development
  • Application hosting
  • Compute
  • Data analytics and pipelines
  • Databases
  • Distributed, hybrid, and multicloud
  • Generative AI
  • Industry solutions
  • Networking
  • Observability and monitoring
  • Security
  • Storage
  • Access and resources management
  • Costs and usage management
  • Google Cloud SDK, languages, frameworks, and tools
  • Infrastructure as code
  • Migration
  • Google Cloud Home
  • Free Trial and Free Tier
  • Architecture Center
  • Blog
  • Contact Sales
  • Google Cloud Developer Center
  • Google Developer Center
  • Google Cloud Marketplace
  • Google Cloud Marketplace Documentation
  • Google Cloud Skills Boost
  • Google Cloud Solution Center
  • Google Cloud Support
  • Google Cloud Tech Youtube Channel
  • Home
  • Google Security Operations
  • Documentation
  • Guides
Stay organized with collections Save and categorize content based on your preferences.

Visualizations in search

Supported in:
Google secops SIEM

You can save the visualizations created in search to either new or existing dashboards. For more information, see Visualizations in search.

Need more help? Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

  • Why Google

    • Choosing Google Cloud
    • Trust and security
    • Modern Infrastructure Cloud
    • Multicloud
    • Global infrastructure
    • Customers and case studies
    • Analyst reports
    • Whitepapers
  • Products and pricing

    • See all products
    • See all solutions
    • Google Cloud for Startups
    • Google Cloud Marketplace
    • Google Cloud pricing
    • Contact sales
  • Support

    • Google Cloud Community
    • Support
    • Release Notes
    • System status
  • Resources

    • GitHub
    • Getting Started with Google Cloud
    • Google Cloud documentation
    • Code samples
    • Cloud Architecture Center
    • Training and Certification
    • Developer Center
  • Engage

    • Blog
    • Events
    • X (Twitter)
    • Google Cloud on YouTube
    • Google Cloud Tech on YouTube
    • Become a Partner
    • Google Cloud Affiliate Program
    • Press Corner
  • About Google
  • Privacy
  • Site terms
  • Google Cloud terms
  • Manage cookies
  • Our third decade of climate action: join us
  • Sign up for the Google Cloud newsletter Subscribe
  • English
  • Deutsch
  • Español – América Latina
  • Français
  • Indonesia
  • Italiano
  • Português – Brasil
  • 中文 – 简体
  • 中文 – 繁體
  • 日本語
  • 한국어