Google Security Operations ingests customer logs, normalizes the data, and detects
security alerts. It provides self-service features for
data ingestion, threat detection, alerts, and case management.
Google SecOps can also receive alerts from other SIEM systems and
analyze them.
Google SecOps log ingestion
The Google SecOps ingestion service acts as a gateway for all data.
Google SecOps ingests data using the following systems:
Forwarders: Remote agents installed on customer
endpoints that send data to the Google SecOps ingestion
service. For details about how to install Linux and Windows
forwarders, see Install and configure the
forwarder.
Bindplane agent: The Bindplane agent collects logs from various sources
and sends them to Google SecOps. You can manage this agent
using the optional Bindplane OP Management console. For more information,
see Use the Bindplane
agent.
Ingestion APIs: Google SecOps provides public ingestion APIs,
that let you send data directly. For more information, see the
Ingestion API.
Data feeds: Data feeds retrieve data from static external locations (such as Amazon S3) and
third-party APIs (such as Okta). These data feeds send logs directly to
the Google SecOps ingestion service. For more information,
see the feed management
documentation.
Data feeds support log lines up to 4 MB in size.
Parsers convert logs from customer systems
into a Unified Data Model (UDM). Downstream systems within
Google SecOps use the UDM to provide additional capabilities,
including rules and UDM search. Google SecOps can ingest both
logs and alerts, but supports only single-event alerts. You can use UDM search
to find both ingested and
built-in Google SecOps alerts.
Understand Google SecOps ingestion process
Google SecOps supports the following types of data ingestion:
Raw logs
Google SecOps ingests raw logs using forwarders, the ingestion
API, data feeds, or directly from Google Cloud.
Alerts from other SIEM systems
Google SecOps can ingest alerts from other SIEM systems, EDRs, or
ticketing systems, as follows:
Receive alerts using Google SecOps
connectors
or Google SecOps
webhooks.
Ingest the events associated with each alert and create a corresponding
detection.
Process both the ingested events and detections.
You can create detection engine rules to identify patterns in the ingested
events and generate additional detections.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations SIEM ingests and normalizes logs from various sources, including customer endpoints, APIs, and Google Cloud, to detect security alerts.\u003c/p\u003e\n"],["\u003cp\u003eData can be ingested through multiple methods such as forwarders, BindPlane agents, Ingestion APIs, direct data pulling from Google Cloud, and data feeds from external locations and third party APIs.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Security Operations SIEM can also ingest single-event alerts from other SIEM systems, EDRs, or ticketing systems through Google Security Operations SOAR connectors or webhooks.\u003c/p\u003e\n"],["\u003cp\u003eIngested data is processed by Google Security Operations SIEM parsers, converting it into a Unified Data Model (UDM) for further analysis and the application of rules for pattern identification.\u003c/p\u003e\n"],["\u003cp\u003eLarge files for ingestion, 5-10GB or larger can cause significant delays in the ingestion process, and Data feeds have a maximum log line size of 4MB.\u003c/p\u003e\n"]]],[],null,["# Google SecOps data ingestion\n============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nGoogle Security Operations ingests customer logs, normalizes the data, and detects\nsecurity alerts. It provides self-service features for\ndata ingestion, threat detection, alerts, and case management.\nGoogle SecOps can also receive alerts from other SIEM systems and\nanalyze them.\n| **Note:** Large files (5-10 GB or larger) can significantly delay data ingestion.\n\nGoogle SecOps log ingestion\n---------------------------\n\nThe Google SecOps ingestion service acts as a gateway for all data.\n\nGoogle SecOps ingests data using the following systems:\n\n- **Forwarders** : Remote agents installed on customer\n endpoints that send data to the Google SecOps ingestion\n service. For details about how to install Linux and Windows\n forwarders, see [Install and configure the\n forwarder](/chronicle/docs/install/forwarder-linux).\n\n- **Bindplane agent** : The Bindplane agent collects logs from various sources\n and sends them to Google SecOps. You can manage this agent\n using the optional Bindplane OP Management console. For more information,\n see [Use the Bindplane\n agent](/chronicle/docs/ingestion/use-bindplane-agent).\n\n- **Ingestion APIs** : Google SecOps provides public ingestion APIs,\n that let you send data directly. For more information, see the\n [Ingestion API](/chronicle/docs/reference/ingestion-api).\n\n- **Google Cloud** : Google SecOps retrieves data directly from\n your Google Cloud organization. For more information, see [Ingest Google Cloud\n data to\n Google SecOps](/chronicle/docs/ingestion/cloud/ingest-gcp-logs).\n\n- **Data feeds** : Data feeds retrieve data from static external locations (such as Amazon S3) and\n third-party APIs (such as Okta). These data feeds send logs directly to\n the Google SecOps ingestion service. For more information,\n see the [feed management\n documentation](/chronicle/docs/administration/feed-management).\n\n Data feeds support log lines up to 4 MB in size.\n\n| **Note:** Google SecOps recommends using UTC or ISO 8601 formats for log timestamps.\n\nParsers convert logs from customer systems\ninto a Unified Data Model (UDM). Downstream systems within\nGoogle SecOps use the UDM to provide additional capabilities,\nincluding rules and UDM search. Google SecOps can ingest both\nlogs and alerts, but supports only single-event alerts. You can use UDM search\nto find both ingested and\nbuilt-in Google SecOps alerts.\n\nUnderstand Google SecOps ingestion process\n------------------------------------------\n\nGoogle SecOps supports the following types of data ingestion:\n\n### Raw logs\n\nGoogle SecOps ingests raw logs using forwarders, the ingestion\nAPI, data feeds, or directly from Google Cloud.\n\n### Alerts from other SIEM systems\n\nGoogle SecOps can ingest alerts from other SIEM systems, EDRs, or\nticketing systems, as follows:\n\n1. Receive alerts using Google SecOps [connectors](/chronicle/docs/soar/ingest/connectors/ingest-your-data-connectors) or Google SecOps [webhooks](/chronicle/docs/soar/ingest/webhooks/setting-up-a-webhook).\n2. Ingest the events associated with each alert and create a corresponding detection.\n3. Process both the ingested events and detections.\n\nYou can create detection engine rules to identify patterns in the ingested\nevents and generate additional detections.\n| **Note:** Detection engine rules don't identify patterns in alerts ingested from Google SecOps.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
