What Is Google Security Operations (Formerly Known as Google Chronicle)?

Google Security Operations is a cloud-based platform that aims to help enterprises manage and analyze large volumes of security and network telemetry. Built on Google’s infrastructure, it provides tools to retain, search, and analyze their security data at scale. 

The platform intends to enable organizations to detect and investigate threats, understand their scope and cause, and take remedial actions through prebuilt integrations with workflow and incident response tools.

By normalizing and indexing data, Google Security Operations provides analysis and contextual insights into suspicious activities. It supports searches across enterprise data to potentially identify compromises at the domain, asset, or IP address level. Security teams might use it to monitor threats over extended periods.

This is part of a series of articles about Google cloud security

Key Features Of Google Security Operations 

1. Data Collection

Google Security Operations ingests various types of security telemetry data using:

• A forwarder: Software deployed in customer networks for syslog, packet capture, and integration with existing SIEM systems.
• Ingestion APIs: APIs for directly sending logs to the platform.
• Third-party integrations: Prebuilt connectors for cloud services like Office 365 and Azure AD.

2. Detection and Threat Analysis

The platform uses the Universal Data Model (UDM) to normalize and correlate data, linking it to detections and threat intelligence. Analysts can use raw log scans or UDM-based searches, including regular expressions, to identify potential threats and analyze their causes.

3. Investigation and Case Management

Analysts might group related alerts into cases, assign and prioritize them, and collaborate on investigations. Features like procedural filtering and investigative views (e.g., asset, IP address, hash, domain, and user views) provide deep context on affected entities. The Graph Investigator visualizes the timeline and scope of attacks, intending to help teams identify opportunities for threat hunting and take action.

4. Response Automation

The platform includes a Playbook Designer that aims to help teams to create automated workflows with a drag-and-drop interface. Analysts can modify and build new playbooks using an integrated development environment (IDE).

5. Dashboards and Reporting

Security teams can leverage built-in dashboards to monitor metrics like SOC performance and key performance indicators (KPIs). These dashboards aim to help measure operational effectiveness and build customized views.

6. Detection Engine

The Detection Engine allows users to automate security monitoring by setting up rules that search across incoming data for known and potential threats. It provides notifications for detected issues, with the aim of enabling quicker response and mitigation.

Google SecOps Platform Overview 

Let’s review the main functionality provided by the Google SecOps platform.

SIEM and SOAR Functionality

SIEM search and dashboards
SIEM tools focus on processing and analyzing security telemetry, with capabilities for:

• UDM search: Helps users search for events and alerts normalized into the Unified Data Model (UDM). Users can view raw logs alongside correlated UDM events, including data ingested from SOAR connectors.
• Dashboards: Aims to provide insights into telemetry metrics, detections, alerts, and IOCs.

SOAR search and dashboards
SOAR tools are for case management and response automation:

• SOAR search: Helps users locate cases and entities related to security incidents. It allows bulk actions like merging cases and looking into entity-specific details.
• Dashboards: Allow users to view case statuses, playbooks, and SOC analyst metrics. Custom dashboards can be created and shared across the team.

Data Ingestion Capabilities

Google SecOps supports data ingestion from its inbuilt SIEM as well as third-party SIEMs:

• Inbuilt SIEM: Designed to ingest raw logs directly using forwarders and data feeds, providing integration with the platform.
• Third-party SIEMs: Logs and alerts can hopefully be ingested through SOAR connectors and webhooks. These alerts are visible in the UDM search but do not undergo the inbuilt SIEM’s detection rules.

Administration and Configuration

Administrative tasks for SIEM and SOAR are managed independently:

• SIEM settings: Control ingestion, parsing, and rule configurations for SIEM-related features.
• SOAR settings: Designed to govern automation, playbooks, and platform permissions, including user group settings. Some platform-wide configurations, like identity provider (IDP) group mapping, are managed here.

Permissions configured through identity and access management (IAM) are applied immediately, while those managed via SOAR settings take effect at the next login.

Google Security Operations Limitations 

Although Google Security Operations provides features for threat detection and response, users have identified several limitations that may impact its usability, performance, and support experience. These limitations were reported by users on the G2 platform:

• Lack of adequate support: Users report delays in receiving assistance for bugs or issues.
• Increased pricing and eroded partnerships: Following Google’s acquisition of the platform, prices have risen, and close partnerships, like the one with Siemplify, have weakened.
• Complexity of playbooks: The playbook feature may be too complicated for new users, requiring a steep learning curve for effective use.
• Sluggish performance: The platform requires a strong internet connection and can become slow or unresponsive under weaker network conditions.
• Search filter inconsistencies: The filter option in the search bar occasionally fails to retrieve the data specified in search fields.
• Reporting challenges: The reporting functionality, built on Tableau, is undergoing redevelopment.
• Alert mapping limitations: Mapping of alert IDs is not available on the preview tab, limiting quick identification and analysis.

Exabeam: Ultimate Google SecOps Alternative

Exabeam is a leading provider of security information and event management (SIEM) solutions, combining UEBA, SIEM, SOAR, and TDIR to accelerate security operations. Its Security Operations platforms enables security teams to quickly detect, investigate, and respond to threats while enhancing operational efficiency.

Key Features:

• Scalable log collection and management: The open platform accelerates log onboarding by 70%, eliminating the need for advanced engineering skills while ensuring seamless log aggregation across hybrid environments.
• Behavioral analytics: Uses advanced analytics to baseline normal vs. abnormal behavior, detecting insider threats, lateral movement, and advanced attacks missed by signature-based systems. Customers report that Exabeam helps detect and respond to 90% of attacks before other vendors can catch them.
• Automated threat response: Simplifies security operations by automating incident timelines, reducing manual effort by 30%, and accelerating investigation times by 80%.
• Contextual incident investigation: Since Exabeam automates timeline creation and reduces time spent on menial tasks, it cuts the time to detect and respond to threats by over 50%. Pre-built correlation rules, anomaly detection models, and vendor integrations reduce alerts by 60%, minimizing false positives.
• SaaS and cloud-native options: Flexible deployment options provide scalability for cloud-first and hybrid environments, ensuring rapid time to value for customers. For organizations who can’t, or won’t move their SIEM to the cloud, Exabeam provides a market-leading, full featured, and self-hosted SIEM.
• Network visibility with NetMon: Delivers deep insight beyond firewalls and IDS/IPS, detecting threats like data theft and botnet activity while making investigation easier with flexible searching. Deep Packet Analytics (DPA) also builds on the NetMon Deep Packet Inspection (DPI) engine to interpret key indicators of compromise (IOCs).

Exabeam customers consistently highlight how its real-time visibility, automation, and productivity tools powered by AI, uplevel security talent, transforming overwhelmed analysts into proactive defenders while reducing costs and maintaining industry-leading support.

Learn more about Exabeam New-Scale SIEM