SIEM table of contents
Click at the top of each SIEM document to return to this table of contents.
Google SecOps SIEM
Quickstart: Investigate an alert
Onboarding to Google SecOps
Configure Google Cloud project for Google SecOps
Configure an identity provider
Configure a Google Cloud identity provider
Configure a third-party identity provider
Configure feature access control using IAM
RBAC user guide for applications not using IAM
Google SecOps permissions in IAM
Link Google SecOps to Google Cloud services
Ingesting data
Supported data sets and default parsers
Ingest data to Google SecOps
Install and configure forwarders
Overview of Google SecOps forwarders
Google SecOps forwarder for Linux
Google SecOps forwarder for Windows on Docker
Google SecOps forwarder executable for Windows
Manage forwarder configurations through Google SecOps
Troubleshoot common Linux forwarder issues
Set up data feeds
Create and manage feeds using the feed management UI
Create an Azure Event Hub feed
Create and manage feeds using the feed management API
Use ingestion scripts deployed as Cloud Functions
Ingest logs from specific sources
Collect Imperva Incapsula Web Application Firewall logs
Collect Kemp Load Balancer logs
Collect Lacework Cloud Security logs
Collect Linux auditd and Unix system logs
Collect Mimecast Secure Email Gateway logs
Collect OneLogin Single Sign-On (SSO) logs
Collect Proofpoint TAP alerts logs
Collect RSA Authentication Manager logs
Collect ServiceNow Security logs
Collect Symantec Event Export logs
Collect Trend Micro Cloud One logs
Collect WatchGuard Fireware logs
Install Carbon Black Event Forwarder
Ingest from Google Cloud
Configure Google Cloud ingestion
Collect Google Cloud Firewall logs
Collect Google Cloud Load Balancing logs
Collect Google Kubernetes Engine logs
Ingest Chrome Enterprise Premium data to Google Security Operations
Send Google Workspace data to Google SecOps
Collect Chrome management logs
Collect reCAPTCHA Enterprise logs
Collect Security Command Center findings
Ingest from Atlassian
Collect Atlassian Bitbucket logs
Ingest from AWS
Collect Amazon CloudFront logs
Ingest from Azure
Collect Microsoft Azure AD logs
Collect Microsoft Azure AD Audit logs
Collect Microsoft Azure AD Context logs
Collect Azure DevOps audit logs
Ingest from Cisco
Collect Cisco ASA firewall logs
Collect Cisco Secure Email Gateway logs
Ingest from Cloudflare
Ingest from CrowdStrike
Collect CrowdStrike Detection logs
Ingest from F5
Ingest from Jamf
Ingest from Microsoft
Collect Microsoft Defender for Cloud Alert logs
Collect Microsoft Graph Activity logs
Collect Microsoft Graph API alerts logs
Collect Microsoft Sentinel logs
Collect Microsoft Windows AD data
Collect Microsoft Windows DHCP data
Collect Microsoft Windows DNS data
Collect Microsoft Windows Event data
Collect Microsoft Windows Sysmon data
Ingest from Netskope
Collect Netskope alert logs v1
Collect Netskope alert logs v2
Ingest from Palo Alto Networks
Collect Palo Alto Cortex XDR alerts logs
Collect Palo Alto Networks firewall logs
Collect Palo Alto Networks IOC logs
Collect Palo Alto Prisma Cloud logs
Collect Palo Alto Prisma Cloud alert logs
Ingest from SentinelOne
Collect SentinelOne Cloud Funnel logs
Collect SentinelOne Alert logs
Monitor data ingestion
Use Data Ingestion and Health dashboard
Use Cloud Monitoring for ingestion notifications
Work with Google SecOps parsers
Overview of the Unified Data Model
Manage prebuilt and custom parsers
Important UDM fields for parser data mapping
Tips and troubleshooting when writing parsers
How Google SecOps enriches event and entity data
Detecting threats
Review potential security threats
Monitor for events using rules
View rules in the Rules Dashboard
Manage rules using Rules Editor
View previous versions of a rule
Run a rule against historical data
Use rules to filter events in a DataTap configuration
Create context-aware analytics
Overview of context-aware analytics
Use Cloud Sensitive Data Protection data in context-aware analytics
Use context-enriched data in rules
Risk analytics
Risk Analytics Quickstart guide
Use the Risk Analytics dashboard
Create rules for Risk Analytics
Specify entity risk score in rules
Work with curated detections
Use curated detections to identify threats
Overview of Cloud Threats category
Overview of Linux Threats category
Overview of macOS Threats category
Overview of Risk Analytics for UEBA category
Overview of Windows Threats category
Overview of Applied Threat Intelligence curated detections
Verify data ingestion using test rules
Applied Threat Intelligence
Applied Threat Intelligence overview
Applied Threat Intelligence prioritization
View IOCs using Applied Threat Intelligence
Applied Threat Intelligence fusion feed overview
Answer Threat Intelligence questions with Gemini
About the YARA-L language
Generate a YARA-L rule using Gemini
Investigating threats
View Alerts
Searching for data
Use context-enriched fields in UDM search
Use UDM Search to investigate an entity
Use UDM Search time range and manage queries
Statistics and aggregations in UDM search using YARA-L 2.0
Generate UDM search queries with Gemini
Search raw logs using Raw Log Scan
Using investigative views
View information from VirusTotal
Filtering data in investigative views
Overview of procedural filtering
Filter data in IP Address view
Reporting
Use context-enriched data in reports
Work with custom dashboards
Import and export Google SecOps dashboards
Work with Preview Dashboards
Manage charts in Preview Dashboards
Administration
Administer users
Configure feature access control using IAM
Configure data access control
Configure data RBAC for reference lists
Set up data feeds
Google Analytics in Google SecOps