Google SecOps

GCP Security Target

Synopsis

The Google SecOps target forwards events to Google Security Operations using the Ingestion API. Supports both V1 and V2 API versions with unstructured logs or UDM (Unified Data Model) format submission.

Schema

- name: <string>
  description: <string>
  type: gcpsecops
  properties:
    api_version: <string>
    send_events_as: <string>
    udm_type: <string>
    region: <string>
    customer_id: <string>
    authentication:
      method: <credentials|secret|apikey|apikeysecret>
    service_account_credentials: <string>
    service_account_credentials_secret: <string>
    api_key: <string>
    api_key_secret: <string>
    default_log_type: <string>
    log_text_field: <string>
    namespace: <string>
    custom_log_types:
      - log_type: <string>
        description: <string>
    labels:
      - key: <string>
        value: <string>
    batch_size: <integer>
    timeout: <integer>
    field_format: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

Base Target Fields

Field	Type	Required	Description
name	string	Y	Unique identifier for this target
description	string	N	Human-readable description
type	string	Y	Must be gcpsecops
pipelines	array	N	Pipeline names to apply before sending
status	boolean	N	Enable (true) or disable (false) this target

API Configuration

Field	Type	Required	Description
api_version	string	N	API version to use (v1, v2). Default: v2
send_events_as	string	N	Data format (unstructured, udm). Default: unstructured
udm_type	string	N*	UDM submission type (logs, entities). Default: logs
region	string	Y	SecOps ingestion region. See Regions
customer_id	string	Y*	Google SecOps customer ID

* udm_type required when send_events_as: udm with V2 API * customer_id required for V2 API

Authentication

Field	Type	Required	Description
authentication.method	string	N	Authentication method (credentials, secret, apikey, apikeysecret). Default: credentials
service_account_credentials	string	Y*	JSON service account credentials
service_account_credentials_secret	string	Y*	Environment variable containing service account JSON
api_key	string	Y*	API key for authentication (V1 only)
api_key_secret	string	Y*	Environment variable containing API key (V1 only)

* Required field depends on selected authentication method

Unstructured Log Configuration

Field	Type	Required	Description
default_log_type	string	Y*	Default log type name
log_text_field	string	N	Field name to use as log text. If not specified, entire JSON is used
namespace	string	N	SecOps namespace for log organization
custom_log_types	array	N	Custom log type definitions
custom_log_types[].log_type	string	Y	Log type name
custom_log_types[].description	string	N	Log type description

* default_log_type required when send_events_as: unstructured

Labels

Field	Type	Required	Description
labels	array	N	Custom labels to attach to events
labels[].key	string	Y	Label key
labels[].value	string	Y	Label value

Batch Configuration

Field	Type	Required	Description
batch_size	integer	N	Maximum events per batch. Default: 1000
timeout	integer	N	HTTP request timeout in seconds. Default: 30

Normalization

Field	Type	Required	Description
field_format	string	N	Apply format normalization (ECS, ASIM, UDM)

Debug Options

Field	Type	Required	Description
debug.status	boolean	N	Enable debug logging
debug.dont_send_logs	boolean	N	Debug mode without sending (dry run)

Details

Data Sending Options

DataStream supports two approaches for submitting events to Google SecOps:

Unstructured Logs:

• Send raw log data to SecOps
• SecOps applies built-in parsers to convert logs into UDM format
• Simpler configuration requiring only default_log_type
• SecOps handles parsing and normalization
• May encounter parsing issues with proprietary or uncommon log formats
• Best for standard log types with existing SecOps parser support

Pre-Structured UDM Events:

• Transform data into UDM format before sending
• Bypass SecOps parsing entirely
• Complete control over UDM field mapping
• Requires understanding of UDM schema structure
• Eliminates parsing errors and inconsistencies
• Best for custom data sources or precise field control

The choice between approaches depends on data complexity and control requirements. Unstructured logs offer simpler setup with SecOps-managed parsing. Pre-structured UDM provides precision but requires upstream transformation.

Working with Unstructured Data

When using send_events_as: unstructured, log type assignment follows a hierarchical resolution:

Log Type Assignment Hierarchy:

1. Event-level override: Events with __logType field use that value
2. Default assignment: Events without __logType use default_log_type configuration
3. Custom log types: Use custom_log_types array for unsupported or deprecated types

Standard Log Types:

SecOps maintains a dynamic list of supported log types (e.g., FIREWALL_LOG, WINDOWS_EVENT, SYSLOG). The supported types evolve over time as SecOps adds new parsers and deprecates old ones.

For the complete list of supported default parsers, see Google SecOps Parser List.

Custom Log Type Definition:

For log sources without SecOps parser support, define custom log types:

custom_log_types:
  - log_type: PROPRIETARY_APP_LOG
    description: Internal application security logs
  - log_type: LEGACY_FIREWALL
    description: Deprecated firewall format

Custom log types bypass standard SecOps parsing. Events are stored but may require custom SecOps rules for analysis.

Log Text Field Selection:

By default, the entire JSON event is sent as log text. Use log_text_field to extract a specific field:

log_text_field: message  # Send only the 'message' field content

This is useful when the raw log text exists in a specific field while other fields contain metadata.

Regions

Valid SecOps ingestion regions:

Region Code	Location
us	United States
europe	Europe (multi-region)
northamerica-northeast2	Toronto, Canada
southamerica-east1	S�o Paulo, Brazil
europe-west2	London, UK
europe-west3	Frankfurt, Germany
europe-west6	Zurich, Switzerland
europe-west9	Paris, France
europe-west12	Turin, Italy
europe-central2	Warsaw, Poland
africa-south1	Johannesburg, South Africa
asia-northeast1	Tokyo, Japan
asia-south1	Mumbai, India
asia-southeast1	Singapore
asia-southeast2	Jakarta, Indonesia
australia-southeast1	Sydney, Australia
me-central1	Doha, Qatar
me-central2	Dammam, Saudi Arabia
me-west1	Tel Aviv, Israel

API Version Selection

V2 API (Recommended):

• Requires customer_id field
• Supports unstructured logs and UDM
• Regional endpoint support
• Enhanced entity submission

V1 API:

• API key authentication supported
• Legacy endpoint compatibility
• Limited to unstructured logs and UDM events

Authentication Methods

Service Account (OAuth2):

• credentials: Inline JSON service account
• secret: Service account JSON from environment variable

API Key (V1 only):

• apikey: Inline API key
• apikeysecret: API key from environment variable

Service Account Permissions

Service account requires the Chronicle API Writer role or equivalent permissions to ingest data into SecOps.

Data Format Options

Unstructured Logs:

• Raw log text submission
• Requires default_log_type field
• Optional custom log types for classification
• Best for text-based logs or pre-formatted data

UDM (Unified Data Model):

• Structured event submission using SecOps UDM schema
• Use udm_type: logs for security events
• Use udm_type: entities for entity context (V2 only)
• Requires events in UDM format

UDM Format Requirements

When using send_events_as: udm, ensure events conform to Google SecOps UDM schema. Invalid UDM events will be rejected.

Dynamic Field Overrides

Events can override target settings using reserved fields:

• __logType: Override default log type per event
• __namespace: Override namespace per event

These fields are removed before submission.

Examples

Basic V2 Unstructured

Sending unstructured logs to SecOps V2 API using service account authentication from environment variable...

targets: - name: secops-unstructured type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: FIREWALL_LOG authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

V2 with UDM Events

Forwarding UDM-formatted security events to SecOps using inline service account credentials...

targets: - name: secops-udm type: gcpsecops properties: region: europe api_version: v2 send_events_as: udm udm_type: logs customer_id: "${SECOPS_CUSTOMER_ID}" authentication: method: credentials service_account_credentials: | { "type": "service_account", "project_id": "your-project-id", "private_key_id": "key-id", "private_key": "-----BEGIN PRIVATE KEY-----\n...", "client_email": "secops@your-project.iam.gserviceaccount.com" }

V1 with API Key

Using V1 API with API key authentication stored in environment variable...

targets: - name: secops-v1 type: gcpsecops properties: region: us api_version: v1 send_events_as: unstructured default_log_type: CUSTOM_LOG authentication: method: apikeysecret api_key_secret: SECOPS_API_KEY

With Custom Log Types

Defining multiple custom log types for different Windows event categories...

targets: - name: secops-custom-types type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: WINDOWS_EVENT custom_log_types: - log_type: WINDOWS_SECURITY description: Windows security event logs - log_type: WINDOWS_SYSTEM description: Windows system event logs - log_type: WINDOWS_APPLICATION description: Windows application event logs authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

With Namespace and Labels

Organizing logs with namespace and custom labels for production environment tracking...

targets: - name: secops-labeled type: gcpsecops properties: region: europe-west2 api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: NETWORK_LOG namespace: production labels: - key: environment value: production - key: datacenter value: eu-west-1 - key: application value: firewall authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

With Log Text Field

Extracting specific field as log text instead of submitting entire JSON structure...

targets: - name: secops-text-field type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: SYSLOG log_text_field: message authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

V2 UDM Entities

Submitting entity context data using V2 UDM entities endpoint...

targets: - name: secops-entities type: gcpsecops properties: region: us api_version: v2 send_events_as: udm udm_type: entities customer_id: "${SECOPS_CUSTOMER_ID}" authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

Production Configuration

Production-ready configuration with custom log types, labels, and performance tuning...

targets: - name: secops-production type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: SECURITY_EVENT namespace: production log_text_field: raw_log batch_size: 1000 timeout: 30 custom_log_types: - log_type: AUTH_SUCCESS description: Successful authentication events - log_type: AUTH_FAILURE description: Failed authentication attempts - log_type: POLICY_VIOLATION description: Security policy violations labels: - key: tenant value: enterprise - key: compliance value: pci-dss authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS debug: status: false