Google SecOps

GCP Security Target

Synopsis

The Google SecOps target forwards events to Google Security Operations using the Ingestion API. Supports both V1 and V2 API versions with unstructured logs or UDM (Unified Data Model) format submission.

Schema

- name: <string>
  description: <string>
  type: gcpsecops
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    api_version: <string>
    send_events_as: <string>
    udm_type: <string>
    region: <string>
    customer_id: <string>
    authentication:
      method: <credentials|secret|apikey|apikeysecret>
    service_account_credentials: <string>
    service_account_credentials_secret: <string>
    api_key: <string>
    api_key_secret: <string>
    default_log_type: <string>
    log_text_field: <string>
    namespace: <string>
    custom_log_types:
      - log_type: <string>
        description: <string>
    labels:
      - key: <string>
        value: <string>
    batch_size: <integer>
    timeout: <integer>
    request_timeout: <integer>
    field_format: <string>
    debug:
      status: <boolean>
      dont_send_logs: <boolean>

Configuration

The following fields are used to define the target:

Field	Required	Default	Description
name	Y		Target name
description	N	-	Optional description
type	Y		Must be gcpsecops
pipelines	N	-	Optional post-processor pipelines
status	N	true	Enable/disable the target

API Configuration

Field	Required	Default	Description
api_version	N	v2	API version: v1, v2
send_events_as	N	unstructured	Data format: unstructured, udm
udm_type	N*	logs	UDM submission type: logs, entities
region	Y	-	SecOps ingestion region. See Regions below
customer_id	Y*	-	Google SecOps customer ID

* = Conditionally required. udm_type applies when send_events_as: udm with V2 API. customer_id is required for V2 API.

Authentication

Field	Required	Default	Description
authentication.method	N	credentials	Authentication method: credentials, secret, apikey, apikeysecret
service_account_credentials	Y*	-	Inline JSON service account credentials
service_account_credentials_secret	Y*	-	Environment variable name containing service account JSON
api_key	Y*	-	Inline API key (V1 only)
api_key_secret	Y*	-	Environment variable name containing API key (V1 only)

* = Conditionally required. The applicable field depends on authentication.method: credentials → service_account_credentials; secret → service_account_credentials_secret; apikey → api_key (V1 only); apikeysecret → api_key_secret (V1 only).

Unstructured Log Configuration

Field	Required	Default	Description
default_log_type	Y*	-	Default log type name
log_text_field	N	-	Field name to use as log text. If empty, entire JSON event is used
namespace	N	-	SecOps namespace for log organization
custom_log_types	N	-	Array of custom log type definitions
custom_log_types[].log_type	Y	-	Log type name
custom_log_types[].description	N	-	Log type description

* = default_log_type is required when send_events_as: unstructured (the default).

Labels

Field	Required	Default	Description
labels	N	-	Array of custom labels to attach to events
labels[].key	Y	-	Label key
labels[].value	Y	-	Label value

Batch Configuration

Field	Required	Default	Description
batch_size	N	1000	Maximum events per batch
timeout	N	30	Request timeout in seconds
request_timeout	N	30	HTTP client timeout in seconds

Processing

Field	Required	Default	Description
field_format	N	-	Data normalization format. See applicable Normalization section

Scheduling

See Scheduling and Pool Behavior for interval and cron fields shared by all targets.

Debug Options

Field	Required	Default	Description
debug.status	N	false	Enable debug logging
debug.dont_send_logs	N	false	Process logs but don't send to target (testing)

Details

Data Sending Options

DataStream supports two approaches for submitting events to Google SecOps:

Unstructured Logs:

• Send raw log data to SecOps
• SecOps applies built-in parsers to convert logs into UDM format
• Simpler configuration requiring only default_log_type
• SecOps handles parsing and normalization
• May encounter parsing issues with proprietary or uncommon log formats
• Best for standard log types with existing SecOps parser support

Pre-Structured UDM Events:

• Transform data into UDM format before sending
• Bypass SecOps parsing entirely
• Complete control over UDM field mapping
• Requires understanding of UDM schema structure
• Eliminates parsing errors and inconsistencies
• Best for custom data sources or precise field control

The choice between approaches depends on data complexity and control requirements. Unstructured logs offer simpler setup with SecOps-managed parsing. Pre-structured UDM provides precision but requires upstream transformation.

Working with Unstructured Data

When using send_events_as: unstructured, log type assignment follows a hierarchical resolution:

Log Type Assignment Hierarchy:

1. Event-level override: Events with __logType field use that value
2. Default assignment: Events without __logType use default_log_type configuration
3. Custom log types: Use custom_log_types array for unsupported or deprecated types

Standard Log Types:

SecOps maintains a dynamic list of supported log types (e.g., FIREWALL_LOG, WINDOWS_EVENT, SYSLOG). The supported types evolve over time as SecOps adds new parsers and deprecates old ones.

For the complete list of supported default parsers, see Google SecOps Parser List.

Custom Log Type Definition:

For log sources without SecOps parser support, define custom log types:

custom_log_types:
  - log_type: PROPRIETARY_APP_LOG
    description: Internal application security logs
  - log_type: LEGACY_FIREWALL
    description: Deprecated firewall format

Custom log types bypass standard SecOps parsing. Events are stored but may require custom SecOps rules for analysis.

Log Text Field Selection:

By default, the entire JSON event is sent as log text. Use log_text_field to extract a specific field:

log_text_field: message  # Send only the 'message' field content

This is useful when the raw log text exists in a specific field while other fields contain metadata.

Regions

Valid SecOps ingestion regions:

Region Code	Location
us	United States
europe	Europe (multi-region)
northamerica-northeast2	Toronto, Canada
southamerica-east1	S�o Paulo, Brazil
europe-west2	London, UK
europe-west3	Frankfurt, Germany
europe-west6	Zurich, Switzerland
europe-west9	Paris, France
europe-west12	Turin, Italy
europe-central2	Warsaw, Poland
africa-south1	Johannesburg, South Africa
asia-northeast1	Tokyo, Japan
asia-south1	Mumbai, India
asia-southeast1	Singapore
asia-southeast2	Jakarta, Indonesia
australia-southeast1	Sydney, Australia
me-central1	Doha, Qatar
me-central2	Dammam, Saudi Arabia
me-west1	Tel Aviv, Israel

API Version Selection

V2 API (Recommended):

• Requires customer_id field
• Supports unstructured logs and UDM
• Regional endpoint support
• Enhanced entity submission

V1 API:

• API key authentication supported
• Legacy endpoint compatibility
• Limited to unstructured logs and UDM events

Authentication Methods

Service Account (OAuth2):

• credentials: Inline JSON service account
• secret: Service account JSON from environment variable

API Key (V1 only):

• apikey: Inline API key
• apikeysecret: API key from environment variable

Service Account Permissions

Service account requires the Chronicle API Writer role or equivalent permissions to ingest data into SecOps.

Data Format Options

Unstructured Logs:

• Raw log text submission
• Requires default_log_type field
• Optional custom log types for classification
• Best for text-based logs or pre-formatted data

UDM (Unified Data Model):

• Structured event submission using SecOps UDM schema
• Use udm_type: logs for security events
• Use udm_type: entities for entity context (V2 only)
• Requires events in UDM format

UDM Format Requirements

When using send_events_as: udm, ensure events conform to Google SecOps UDM schema. Invalid UDM events will be rejected.

Dynamic Field Overrides

Events can override target settings using reserved fields:

• __logType: Override default log type per event
• __namespace: Override namespace per event

These fields are removed before submission.

Examples

Basic V2 Unstructured

Sending unstructured logs to SecOps V2 API using service account authentication from environment variable...

targets: - name: secops-unstructured type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: FIREWALL_LOG authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

V2 with UDM Events

Forwarding UDM-formatted security events to SecOps using inline service account credentials...

targets: - name: secops-udm type: gcpsecops properties: region: europe api_version: v2 send_events_as: udm udm_type: logs customer_id: "${SECOPS_CUSTOMER_ID}" authentication: method: credentials service_account_credentials: | { "type": "service_account", "project_id": "your-project-id", "private_key_id": "key-id", "private_key": "-----BEGIN PRIVATE KEY-----\n...", "client_email": "secops@your-project.iam.gserviceaccount.com" }

V1 with API Key

Using V1 API with API key authentication stored in environment variable...

targets: - name: secops-v1 type: gcpsecops properties: region: us api_version: v1 send_events_as: unstructured default_log_type: CUSTOM_LOG authentication: method: apikeysecret api_key_secret: SECOPS_API_KEY

With Custom Log Types

Defining multiple custom log types for different Windows event categories...

targets: - name: secops-custom-types type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: WINDOWS_EVENT custom_log_types: - log_type: WINDOWS_SECURITY description: Windows security event logs - log_type: WINDOWS_SYSTEM description: Windows system event logs - log_type: WINDOWS_APPLICATION description: Windows application event logs authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

With Namespace and Labels

Organizing logs with namespace and custom labels for production environment tracking...

targets: - name: secops-labeled type: gcpsecops properties: region: europe-west2 api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: NETWORK_LOG namespace: production labels: - key: environment value: production - key: datacenter value: eu-west-1 - key: application value: firewall authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

With Log Text Field

Extracting specific field as log text instead of submitting entire JSON structure...

targets: - name: secops-text-field type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: SYSLOG log_text_field: message authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

V2 UDM Entities

Submitting entity context data using V2 UDM entities endpoint...

targets: - name: secops-entities type: gcpsecops properties: region: us api_version: v2 send_events_as: udm udm_type: entities customer_id: "${SECOPS_CUSTOMER_ID}" authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS

Production Configuration

Production-ready configuration with custom log types, labels, and performance tuning...

targets: - name: secops-production type: gcpsecops properties: region: us api_version: v2 send_events_as: unstructured customer_id: "${SECOPS_CUSTOMER_ID}" default_log_type: SECURITY_EVENT namespace: production log_text_field: raw_log batch_size: 1000 timeout: 30 custom_log_types: - log_type: AUTH_SUCCESS description: Successful authentication events - log_type: AUTH_FAILURE description: Failed authentication attempts - log_type: POLICY_VIOLATION description: Security policy violations labels: - key: tenant value: enterprise - key: compliance value: pci-dss authentication: method: secret service_account_credentials_secret: GCP_SECOPS_CREDENTIALS debug: status: false