This page provides an overview of Google SecOps feed management.
You can create and manage feeds using the feed management UI or the feed management API.
The feed management UI is built on the feed management API. You can use Google SecOps
data feeds to ingest log data into your Google SecOps instance from the following sources:
Cloud Storage services that are supported by Google SecOps, such as Google Cloud Storage and Amazon S3
Third-party data sources that are supported by Google SecOps and accessed through API, such as Microsoft 365
Files accessible directly using HTTP(S) requests
Sources that support HTTPS push ingestion, such as webhooks, Pub/Sub, and
Amazon Data Firehose. You can push logs using an HTTPS endpoint from these sources.
Each feed that you create is composed of a data source type and a log type.
Google Cloud Storage, third-party APIs, and HTTP-accessible files are examples
of source types. For each data source type that Google SecOps supports, Google SecOps
also supports specific log types. For example, for the Google Cloud Storage source type,
Google SecOps supports the Carbon Black log type and many others. The list of
supported log types varies by source type.
When you create a feed, you specify the source type, log type, required permissions,
authentication details, and other information that is based on the log type. As part
of its security design, Google SecOps stores user credentials (for example,
credentials that you provide so that a Google SecOps
feed can ingest log data from a third-party API) in Secret Manager.
If Google SecOps provides a default parser
for the log type, then the ingested log data is stored in both Google SecOps
Unified Data Model (UDM) format and raw log format.
Supported source types and log types
Google SecOps supports the following source types:
Feed source type
Description
Third-party API
Ingest data from a third-party API.
Pub/Sub
Ingest data using a Pub/Sub push subscription.
Google Cloud Storage
Ingest data from a Google Cloud Storage bucket.
Amazon Data Firehose
Ingest data using Amazon Data Firehose.
Amazon S3
Ingest data from an Amazon Simple Storage Service bucket.
Amazon SQS
Ingest data from an Amazon Simple Queue Service queue whose entries point
to files stored in S3
Azure Blobstore
Ingest data from Azure Blob Storage.
HTTP(S)
Ingest data from files accessible by an HTTP(S) request. Do not
use this source type to interact with third-party APIs. Use the API
feed source type for third-party APIs supported by Google SecOps.
Webhook
Ingest data using an HTTPS webhook.
There are several ways to view a list of supported log types:
Google SecOps UI: For information about how to view the list of supported
log types for each source type, see Add a feed.
API reference documentation: To view a list of supported log types for third-party API
feeds, see Configuration by log type.
Feed Schema API: To view log types for any source type, you can also use the
Feed Schema API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle SecOps feed management allows ingestion of log data from various sources, including Cloud Storage services, third-party APIs, HTTP(S) accessible files, and HTTPS push sources.\u003c/p\u003e\n"],["\u003cp\u003eEach feed consists of a data source type and a log type, with examples of source types including Google Cloud Storage, third-party APIs, and HTTP(S) files, each supporting specific log types.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating a feed, users specify source type, log type, required permissions, and authentication details, with user credentials securely stored in Secret Manager.\u003c/p\u003e\n"],["\u003cp\u003eIf a default parser is available for the log type, ingested data is stored in both Google SecOps Unified Data Model (UDM) and raw log format.\u003c/p\u003e\n"],["\u003cp\u003eSupported log types can be viewed through the Google SecOps UI, the API reference documentation, or the Feed Schema API.\u003c/p\u003e\n"]]],[],null,["# Feed management overview\n========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis page provides an overview of Google SecOps feed management.\nYou can create and manage feeds using the feed management UI or the feed management API.\n\nThe feed management UI is built on the feed management API. You can use Google SecOps\ndata feeds to ingest log data into your Google SecOps instance from the following sources:\n\n- Cloud Storage services that are supported by Google SecOps, such as Google Cloud Storage and Amazon S3\n- Third-party data sources that are supported by Google SecOps and accessed through API, such as Microsoft 365\n- Files accessible directly using HTTP(S) requests\n- Sources that support HTTPS push ingestion, such as webhooks, Pub/Sub, and Amazon Data Firehose. You can push logs using an HTTPS endpoint from these sources.\n\nEach feed that you create is composed of a data *source type* and a *log type*.\nGoogle Cloud Storage, third-party APIs, and HTTP-accessible files are examples\nof source types. For each data source type that Google SecOps supports, Google SecOps\nalso supports specific log types. For example, for the Google Cloud Storage source type,\nGoogle SecOps supports the Carbon Black log type and many others. The list of\nsupported log types varies by source type.\n\nWhen you create a feed, you specify the source type, log type, required permissions,\nauthentication details, and other information that is based on the log type. As part\nof its security design, Google SecOps stores user credentials (for example,\ncredentials that you provide so that a Google SecOps\nfeed can ingest log data from a third-party API) in [Secret Manager](/secret-manager).\n\nIf Google SecOps provides a [default parser](/chronicle/docs/ingestion/parser-list/supported-default-parsers)\nfor the log type, then the ingested log data is stored in both Google SecOps\nUnified Data Model (UDM) format and raw log format.\n\nSupported source types and log types\n------------------------------------\n\n| **Note:** To restrict access using Google Cloud public IP range, open a support ticket.\n\nGoogle SecOps supports the following source types: \n\nThere are several ways to view a list of supported log types:\n\n- **Google SecOps UI** : For information about how to view the list of supported\n log types for each source type, see [Add a feed](/chronicle/docs/administration/feed-management#add-new-feed).\n\n- **API reference documentation** : To view a list of supported log types for third-party API\n feeds, see [Configuration by log type](/chronicle/docs/reference/feed-management-api#api-log-types).\n\n- **Feed Schema API** : To view log types for any source type, you can also use the\n [Feed Schema API](/chronicle/docs/reference/feed-management-api#feed-schema-api-reference).\n\n| **Note:** The log types listed in third-party endpoints in the Feed UI are not listed in any other Cloud Storage options like AWS S3, AWS SQS, Google Cloud Storage, and Azure Blob Store.\n\nWhat's next\n-----------\n\n- Learn how to [create and manage feeds using the feed management UI](/chronicle/docs/administration/feed-management).\n- Learn how to [create and manage feeds using the Feed management API](/chronicle/docs/reference/feed-management-api).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
