Skip to main content
Documentation
Technology areas
close
AI and ML
Application development
Application hosting
Compute
Data analytics and pipelines
Databases
Distributed, hybrid, and multicloud
Generative AI
Industry solutions
Networking
Observability and monitoring
Security
Storage
Cross-product tools
close
Access and resources management
Costs and usage management
Google Cloud SDK, languages, frameworks, and tools
Infrastructure as code
Migration
Related sites
close
Google Cloud Home
Free Trial and Free Tier
Architecture Center
Blog
Contact Sales
Google Cloud Developer Center
Google Developer Center
Google Cloud Marketplace
Google Cloud Marketplace Documentation
Google Cloud Skills Boost
Google Cloud Solution Center
Google Cloud Support
Google Cloud Tech Youtube Channel
/
English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Português
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어
Console
Sign in
Google Security Operations
Guides
Reference
Resources
Contact Us
Start free
Documentation
Guides
Reference
Resources
Technology areas
More
Cross-product tools
More
Related sites
More
Console
Contact Us
Start free
Overview
All Security Operations topics
Google SecOps overview
What's new in Google SecOps?
Release plan for Google SecOps
Log in to Google Security Operations
Navigate the Google SecOps platform
Understand the Google SecOps platform
Configure user preferences
Gemini in SecOps
Google SecOps Labs
Use Gemini and other experiments in Google SecOps
Use the Alert Response Recommender
Gemini documentation summaries
Onboarding
Onboard a Google SecOps instance
Configure a Google Cloud project for Google SecOps
Configure a Google Cloud identity provider
Configure a third-party identity provider
Link a Google SecOps instance to Google Cloud services
Configure feature access control using IAM
Configure data RBAC using IAM
RBAC user guide for applications not using IAM
Map users in the Google SecOps platform using Google Cloud identity
Map users with multiple control access parameters
Map users in the Google SecOps platform using IdP groups
User management
Add SIEM or SOAR users to Google SecOps
Quickstart: Conduct a search
Quickstart: Investigate an alert
Data Collection
Ingestion
Google SecOps data ingestion
Overview of data ingestion
Content Hub overview
Supported data sets and default parsers
Ingest data to Google SecOps
Install and configure forwarders
Install and configure the forwarder
Manage forwarder configurations through the UI
Manage forwarder configurations manually
Google SecOps forwarder executable for Windows
Troubleshoot common Linux forwarder issues
Bindplane collection agent
Use the Bindplane agent
Configure Bindplane for Silent Host Monitoring
Set up data feeds
Feed management overview
Use the feed management application
Create an Azure Event Hub feed
Use the feed management API
Data Processing Pipelines
Set up and manage data processing pipelines
Use ingestion scripts deployed as Cloud Functions
Use the Ingestion API
Configure burst limits
Ingest Google Cloud data to Google SecOps
Product Centric Feed management
Default parsers
Default parser list
Premium parsers
Apigee logs
AWS EC2 Hosts logs
AWS EC2 Instance logs
Chrome management logs
Cisco ASA firewall logs
Context Resource Parsers
CrowdStrike Falcon logs
Duo Activity logs
Fluentd logs
Fortinet Firewall logs
Ingest Google Cloud data to Google Security Operations
Google Cloud Abuse Events logs
Google Cloud Audit Logs
Google Cloud DNS logs
Google Cloud Firewall logs
Google Cloud Load Balancing logs
Google Cloud NAT logs
Google Kubernetes Engine (GKE) logs
Google Cloud SQL logs
Google Workspace logs
Jamf Protect logs
Jamf Telemetry logs
Jamf Protect Telemetry v2 logs
Jamf Threat Events logs
Microsoft 365 logs
Microsoft Defender for Endpoint logs
Microsoft Graph API alerts logs
Microsoft Windows AD logs
Microsoft Windows DHCP logs
Microsoft Windows DNS logs
Microsoft Windows Event logs
Microsoft Windows Sysmon logs
NIX System logs
OCSF logs
OSSEC logs
osquery logs
Palo Alto Networks firewall logs
Security Command Center findings
SentinelOne Alert logs
SentinelOne Cloud Funnel logs
Splunk CIM logs
Zeek (Bro) logs
Zscaler CASB logs
Zscaler parsers overview
Zscaler Deception logs
Zscaler DLP logs
Zscaler DNS logs
Zscaler Firewall logs
Zscaler Internet Access logs
Zscaler Tunnel logs
Zscaler VPN logs
Zscaler Web Proxy logs
Zscaler ZPA logs
Zscaler ZPA Audit logs
Zeek (Bro) logs
Standard Parsers A - B - C
A10 Network Load Balancer logs
Abnormal Security logs
Acalvio logs
Akamai Cloud Monitor logs
Akamai DataStream 2 logs
Akamai DNS logs
Akamai WAF logs
Akeyless Vault logs
Alcatel switch logs
AlgoSec Security Management logs
Amazon CloudFront logs
Anomali ThreatStream IOC logs
Ansible AWX logs
Apache logs
Apache Cassandra logs
Apache Tomcat logs
Appian Cloud logs
Apple macOS syslog data
Aqua Security logs
Arbor Edge Defense logs
Archer IRM logs
ArcSight CEF logs
Arista switch logs
Area 1 logs
Aruba ClearPass logs
Aruba EdgeConnect SD-WAN logs
Aruba switch logs
Aruba Wireless Controller and Access Point logs
Atlassian Bitbucket logs
Atlassian Cloud Admin Audit logs
Atlassian Jira logs
Attivo Networks BOTsink logs
Auth0 logs
Automation Anywhere logs
Avatier logs
Avaya Aura logs
Avigilon Access Control Manager logs
Aware audit logs
AWS API Gateway access logs
AWS Aurora logs
AWS CloudTrail logs
AWS CloudWatch logs
AWS Config logs
AWS Control Tower logs
AWS Elastic Load Balancing logs
AWS Elastic MapReduce logs
AWS GuardDuty logs
AWS IAM logs
AWS Key Management Service logs
AWS Macie logs
AWS Network Firewall logs
AWS RDS logs
AWS Route 53 logs
AWS S3 server access logs
AWS Security Hub logs
AWS Session Manager logs
AWS VPC Flow logs
AWS VPC Transit Gateway flow logs
AWS VPN logs
AWS WAF logs
Azion firewall logs
Azure AD Sign-In logs
Azure API Management logs
Azure APP Service logs
Azure Application Gateway logs
Azure Firewall logs
Azure Storage Audit logs
Azure VPN logs
Azure WAF logs
Barracuda CloudGen Firewall logs
Barracuda Email Security Gateway logs
Barracuda WAF logs
Barracuda Web Filter logs
BeyondTrust BeyondInsight logs
BeyondTrust EPM logs
BeyondTrust Privileged Identity logs
BeyondTrust Remote Support logs
BeyondTrust Secure Remote Access logs
Bitdefender logs
Bitwarden Enterprise event logs
BloxOne Threat Defense logs
BlueCat DDI logs
BlueCat Edge logs
Blue Coat ProxySG logs
BMC Helix Discovery logs
Box Collaboration JSON logs
Broadcom CA PAM logs
Broadcom SSL VA logs
Broadcom Symantec SiteMinder Web Access logs
Brocade ServerIron logs
Brocade switch logs
Cambium Networks logs
Carbon Black App Control logs
Carbon Black EDR logs
Cato Networks logs
Censys logs
Check Point Audit logs
Check Point EDR logs
Check Point firewall logs
Check Point Harmony
Check Point SmartDefense logs
CipherTrust Manager logs
CircleCI audit logs
Cisco Application Control Engine (ACE) logs
Cisco Firepower NGFW logs
Cisco Firewall Service Module (FWSM) logs
Cisco IronPort logs
Cisco IOS logs
Cisco ISE logs
Cisco Meraki logs
Cisco PIX logs
Cisco Prime logs
Cisco Router logs
Cisco Secure ACS logs
Cisco Secure Email Gateway logs
Cisco Stealthwatch logs
Cisco Switch logs
Cisco UCS logs
Cisco VCS logs
Cisco VPN logs
Cisco Web Security Applicance (WSA) logs
Cisco Wireless Intrusion Prevention System (WIPS) logs
Cisco Wireless LAN Controller (WLC) logs
Cisco Wireless Security Management (WiSM) logs
Cloud Identity Devices logs
Cloud Identity Device Users logs
Cloud Intrusion Detection System (Cloud IDS) logs
Context Access Aware data
Cloud Next Generation Firewall logs
Cloud Run logs
Cloud Storage Context logs
Cloudflare logs
Cloudflare WAF logs
Cloudian HyperStore logs
CloudPassage Halo logs
Code42 Incydr core datasets
Cohesity logs
Commvault logs
CommVault Backup and Recovery logs
Comodo AV logs
Corelight Sensor logs
CrowdStrike Falcon logs in CEF"
CrowdStrike Falcon Stream logs
CrushFTP logs
CSV Custom IOC files
CyberArk EPM logs
CyberArk PAM logs
CyberArk Privilege Cloud logs
CyberArk Privileged Threat Analytics logs
CyberX logs
Cylance PROTECT logs
Cyolo OT logs
Standard Parsers D - E - F - G
Datadog logs
Darktrace logs
Deep Instinct EDR logs
Delinea Distributed Engine logs
Delinea PAM logs
Delinea Secret Server logs
Dell CyberSense logs
Dell ECS logs
Dell EMC Data Domain logs
Dell EMC Isilon NAS logs
Dell EMC PowerStore logs
Dell EMC PowerStore logs
Dell OpenManage logs
Dell switch logs
DigiCert audit logs
Digi Modems logs
DomainTools Iris Investigate results
Duo administrator logs
Duo authentication logs
Duo entity context logs
Duo User context logs
Endpoint Protector DLP logs
Epic Systems logs
ESET AV logs
ESET EDR logs
ExtraHop DNS logs
ExtraHop RevealX logs
Extreme switch logs
Extreme Wireless logs
F5 AFM logs
F5 ASM logs
F5 BIG-IP APM logs
F5 BIG-IP ASM logs
F5 BIG-IP LTM logs
F5 DNS logs
F5 VPN logs
Fastly WAF logs
Fidelis Network logs
FileZilla FTP logs
FireEye HX logs
FireEye NX logs
Forcepoint CASB logs
Forcepoint DLP logs
Forcepoint Proxy logs
Forescout NAC logs
ForgeRock OpenAM logs
Fortinet FortiAnalyzer logs
Fortinet FortiAuthenticator logs
Fortinet FortiMail logs
FortiWeb WAF logs
Fortra Digital Guardian DLP logs
GitHub audit logs
GitLab logs
Google Cloud IoT logs
Google Cloud Compute context logs
Google Cloud Compute logs
Google Cloud IDS logs
Google Workspace Activity logs
Standard Parsers H - I - J - K
HAProxy logs
Harness IO audit logs
HashiCorp audit logs
HP ProCurve logs
HPE Aruba Networking Central logs
HPE BladeSystem c7000 logs
IBM Verify Identity Access logs
Identity and Access Management (IAM) Analysis context logs
Illumio Core logs
Imperva WAF logs
Infoblox logs
Jamf Pro context logs
Jenkins logs
JFrog Artifactory logs
Juniper Junos logs
Juniper NetScreen Firewall logs
Kaseya Datto File Protection logs
Kaspersky AV logs
Kemp Load Balancer logs
Standard Parsers L - M - N
Lacework Cloud Security logs
LimaCharlie EDR logs
Linux auditd and AIX systems logs
ManageEngine AD360 logs
ManageEngine ADAudit Plus logs
McAfee Firewall Enterprise logs
McAfee Web Gateway logs
Micro Focus NetIQ Access Manager logs
Microsoft Azure Activity logs
Microsoft Azure AD logs
Microsoft Azure AD Audit logs
Microsoft Azure AD Context logs
Microsoft Azure DevOps audit logs
Microsoft SQL Server logs
Microsoft Azure Key Vault logging logs
Microsoft Defender for Cloud Alert logs
Microsoft Defender for Identity logs
Microsoft Exchange logs
Microsoft Graph Activity logs
Microsoft IIS logs
Microsoft Intune logs
Microsoft LAPS logs
Microsoft Sentinel logs
Microsoft Windows Defender ATP logs
Mimecast Mail logs
MISP IOC logs
MobileIron logs
MuleSoft Anypoint logs
MYSQL logs
Nasuni File Services Platform logs
NetApp ONTAP logs
NetApp SAN logs
Netgate pfSense logs
Netscaler logs
Netskope alert logs v1
Netskope alert logs v2
Netskope web proxy logs
NGINX logs
Nix Systems Red Hat logs
Nix Systems Ubuntu Server (Unix System) logs
Nokia Router logs
ntopng logs
Nutanix Prism logs
Standard Parsers O - P - Q - R
Okta logs
OneLogin Single Sign-On (SSO) logs
1Password logs
1Password audit logs
Onfido logs
OpenCanary logs
OPNsense firewall logs
Oracle DB logs
Palo Alto Cortex XDR alerts logs
Palo Alto Cortex XDR events logs
Palo Alto Networks IOC logs
Palo Alto Networks Traps logs
Palo Alto Prisma Cloud logs
Palo Alto Prisma Cloud alert logs
Palo Alto Prisma SD-WAN logs
PingOne Advanced Identity Cloud logs
PowerShell logs
Proofpoint On-Demand logs
Proofpoint TAP alerts logs
Pulse Secure logs
Qualys asset context logs
Qualys Continuous Monitoring logs
Qualys Scan logs
Qualys Virtual Scanner logs
Qualys Vulnerability Management logs
Radware WAF logs
Rapid7 InsightIDR logs
reCAPTCHA Enterprise logs
Recorded Future IOC logs
RevealX logs
RSA Authentication Manager logs
Standard Parsers S - T - U
Salesforce logs
SecureAuth Identity Platform logs
Secure Web Proxy logs
Security Command Center Error logs
Security Command Center Observation logs
Security Command Center Posture Violation logs
Security Command Center Toxic Combination logs
Security Command Center Unspecified logs
SentinelOne Deep Visibility logs
SentinelOne EDR logs
ServiceNow Security logs
Signal Sciences WAF logs
Skyhigh Security logs
Collect Slack audit logs
Snort logs
Snowflake logs
Snyk group-level audit logs
Snyk group-level audit and issues logs
SonicWall logs
Sophos Central logs
Sophos UTM logs
Sophos XG Firewall logs
Suricata Eve logs
Symantec CloudSOC CASB logs
Symantec DLP logs
Symantec EDR logs
Symantec Endpoint Protection logs
Symantec Event Export logs
Symantec VIP Authentication Hub logs
Symantec VIP Enterprise Gateway logs
Symantec Web Isolation logs
Synology logs
Sysdig logs
Thinkst Canary logs
ThreatConnect IOC logs
Trellix DLP logs
Trellix ePO logs
Trellix IPS logs
Trend Micro Apex One logs
Trend Micro Cloud One logs
Trend Micro DDI logs
Trend Micro Deep Security logs
Trend Micro Email Security logs
Trend Micro Vision One logs
Trend Micro Vision One Activity logs
Trend Micro Vision One Audit logs
Trend Micro Vision One Container Vulnerability logs
Trend Micro Vision Detections logs
Trend Micro Vision One Observed Attack Techniques logs
Trend Micro Vision One Workbench logs
Tripwire logs
Twingate VPN logs
Standard Parsers V - W - X - Y - Z
Varonis logs
Veeam logs
Venafi Zero Touch PKI logs
Veridium ID logs
Veritas NetBackup logs
Versa Networks Secure Access Service Edge (SASE) logs
VMware Airwatch logs
VMware Avi Load Balancer WAF logs
VMware ESXi logs
VMware Horizon logs
VMware Networking and Security Virtualization (NSX) Manager logs
VMware Tanzu logs
VMware vCenter logs
VMware VeloCloud SD-WAN logs
VMware vRealize logs
VMware vSphere logs
VMware Workspace ONE UEM logs
VPC Flow logs
VSFTPD logs
VyOS logs
WatchGuard Fireware logs
Wazuh logs
Wiz logs
Wordpress CMS logs
Workday audit logs
Workday HCM logs
Yamaha router logs
Zoom operation logs
Ingest entity data
Parsing
Overview of log parsing
Overview of the Unified Data Model
Manage prebuilt and custom parsers
Request prebuilt and create custom log types
Parser extensions
Parser extension examples
Important UDM fields for parser data mapping
Troubleshoot tips for writing parsers
Format log data as UDM
Auto Extraction overview
Overview of aliasing and UDM enrichment in Google Security Operations
Data enrichment
Monitoring and troubleshooting
Use the Data Ingestion and Health dashboard
Use Cloud Monitoring for ingestion notifications
Use connectors
Ingest data using SOAR connectors
View connector logs
ElasticSearch connector: Map a custom date and time
Define environments in SOAR connectors
Using webhooks
Set up a webhook
Ontology
Ontology overview
Create entities (mapping and modeling)
Visual families
Configure mapping and assign visual families
Work with entity delimiters
Threat detection
Introduction to threat detection rules
View alerts and IOCs
Review potential security issues
Single event rules
Multiple event rules
Composite rules
Overview of composite detections
Monitor events using rules
View rules in the Rules Dashboard
Manage rules using the Rules Editor
Generate a YARA-L rule using Gemini
View previous versions of a rule
Archive rules
Download events
Run a rule against live data
Run a rule against historical data
Set the run frequency
Detection limits
Rule errors
Use rules to filter events in a DataTap configuration
Create context-aware analytics
Overview
Overview
Rule errors
Use Sensitive Data Protection data in context-aware analytics
Use context-enriched data in rules
Use default detection rules
Use Risk Analytics
Risk Analytics Quickstart guide
Watchlist Quickstart guide
Overview of Risk Analytics
Use the Risk Analytics dashboard
Metric functions for Risk Analytics rules
Specify entity risk score in rules
Watchlists FAQ
Risk Analytics FAQ
Work with Google SecOps curated detections
Rules capacity
Use curated detections
Use curated detections to identify threats
Use curated detection rules for third-party vendor alerts
Overview of Cloud Threats category
Overview of Composite Rules category
Overview of Chrome Enterprise Threats category
Overview of Linux Threats category
Overview of the MacOS Threats category
Overview of Risk Analytics for UEBA category
Overview of Windows Threats category
Overview of Applied Threat Intelligence curated detections
Verify data ingestion using test rules
Configure rule exclusions
Threat Investigation
Investigate an alert
Investigate a GCTI alert
Searching for data
Search for events and alerts
Use context-enriched fields in search
Use search to investigate an entity
Use search time range and manage queries
Use conditions in search and dashboards
Use deduplication in search and dashboards
Use metrics in search
Statistics and aggregations in search using YARA-L 2.0
Generate search queries with Gemini
Search best practices
Conduct a search for entity context data
Conduct a raw log search
Search raw logs using Raw Log Scan
Filter data in raw log search
Create a reference list
Use data tables
Using investigative views
Use investigative views
Investigate an asset
Work with asset namespaces
Investigate a domain
Investigate an IP address
Investigate a user
Investigate a file
View information from VirusTotal
Filtering data in investigative views
Overview of Procedural Filtering
Filter data in User view
Filter data in Asset view
Filter data in Domain view
Filter data in IP Address view
Filter data in Hash view
Threat intelligence
Applied Threat Intelligence
Introduction to Applied Threat Intelligence
Applied Threat Intelligence prioritization
View IOCs using Applied Threat Intelligence
IC score overview
Applied Threat Intelligence fusion feed overview
Answer Threat Intelligence questions with Gemini
Timestamp definitions
Cases and alert management
Cases
Cases overview
Cases page
Case Queue header
Case Overview tab
Create custom fields
Case Wall tab
Investigate cases with Gemini
Use Case Chat to collaborate in real time
Track tasks and tags in cases
Perform a manual action
Take actions on a case
Create a test case
Resolve and close cases
Use custom fields in the Close Case dialog
Using the Gemini Case summary widget
Manage tags in cases
Configure the default case view
Add or delete case stages (Admin)
Use the Alert Options menu in the Cases page
View the original SIEM data in a case
Investigate SOAR entities and alerts
Entity types that SOAR supports
Navigating the Entity Explorer page
Perform a batch action on several cases at once
Track case response and closure times
Customize the Close Case dialog (Admin)
Define a case name (Admin)
Create a manual case
Move a case to a new environment
Add or edit entity properties
Apply and save filters
Entity selection
Alerts
View alert overview tab
View alert playbooks tab
View alert events tab
Change alert priority instead of case priority
Configure alert grouping
Configure alert overflow
Handle large alerts
Rerun playbooks
Define default alert view (Admin)
Workdesk
Explore Your Workdesk
Fill out a request from Your Workdesk
Respond to pending actions from Your Workdesk
View cases from Your Workdesk
Search and investigation
Search for a normalized event
Search for a event
Use context-enriched fields in search
Use search to investigate an entity
Search best practices
Search for raw events
Search raw logs
Filter data in raw log search
Create a reference list
Investigate an alert
Using investigative views
Use investigative views
Investigate an asset
Work with asset namespaces
Investigate a domain
Investigate an IP address
Investigate a user
Investigate a file
View information from VirusTotal
Filtering data in investigative views
Overview of Procedural Filtering
Filter data in User view
Filter data in Asset view
Filter data in Domain view
Filter data in IP Address view
Filter data in Hash view
Search
Use SOAR Search
About the YARA-L language
YARA-L 2.0 language overview
YARA-L 2.0 language syntax
YARA-L best practices
Respond
Playbooks
Playbooks page
Use triggers in playbooks
Use actions in playbooks
Use flows in playbooks
Create and edit a playbook with Gemini
Use the Expression Builder
Work with the Playbook Simulator
Use the Playbook Navigator
Work with playbook blocks
Automate tasks with Playbook Loops
Configure action retries in playbooks
Understand playbook monitoring
Define customized alert views from playbook designer
Use an alert type trigger in a playbook
Bulk actions and filters in playbooks
Use the HTML widget
Scan multiple URLs in VirusTotal
Put elements of the case data into an email message
Scan URLs received by email
Send messages to a phone number
Attach playbooks to an alert
Use cases for Expression Builder
Assign actions and playbook blocks
Playbook icons legend
Configure timeouts for playbook async actions
Playbook permissions
Assign approval links in actions
Use parallel actions
Use predefined widgets in playbook views
Prevent users from changing playbooks
Send an email from Google SecOps
IDE
Use the IDE
Custom code and integrations
Set up integrations
Configure integrations
Upgrade the Python version
Support multiple instances
Test integrations in staging mode
Work with an external vault system
Create a custom action
Build a custom integration
Write jobs
Requirements for publishing custom integrations
Create your first custom integration
Create your first action
My first automation (playbook)
Develop your first email connector
Develop the connector
Configure the connector
Test a connector
Map and model alerts
Create your first use case
Response integrations community contribution guidelines
Remote agents
What is a remote agent?
Requirements and prerequisites
Remote agent architecture
Remote agent scaling strategy
Manage remote agents
Create an agent with Docker
Create an agent with the installer on RHEL
Create an agent with the installer on CentOS
Upgrade agent Docker image
Upgrade an agent with the installer for RHEL
Upgrade an agent with the installer for CentOS
Edit a remote agent
Redeploy remote agent
Installer and Docker agent configuration
Data flows and protocols
Set up integrations and connectors
Test agents
Upgrade remote agents
Deploy high availability for remote agents
Redeploy Connectors
Troubleshooting
Dashboard and Reports
Dashboards
Dashboards
Curated dashboards
Overview
PCI curated dashboards
Common curated dashboards
Manage dashboards
Manage charts in dashboards
Dashboard filters
Visualizations in search
SIEM reports and dashboards (Legacy)
Configure data export to BigQuery in a self-managed Google Cloud project
Work with dashboards
Create a custom dashboard
Add a chart visualization to a dashboard
Share a personal dashboard
Schedule dashboard reports
Use context-enriched data in reports
Import and export Google SecOps dashboards
SOAR dashboards
SOAR Dashboards overview
Add SOAR Dashboard widgets
Explore the SOAR Dashboards page
SOAR reports
Explore SOAR reports
Use Looker Explores in SOAR reports
User management
Control access to SecOps platform
Create a managed user
Create a collaborator user
Benefits of adding a collaborator user
Create a user with view-only permission
Types of user groups in Google SecOps
Disable or delete a user account
Permissions, SOC roles and environments
Manage permission groups
Manage roles and workloads
Work with environments
Use dynamic parameters in environments
Case Federation for Google SecOps
View users in Google SecOps
Set your time zone
Create environment groups
Data RBAC
Overview of data RBAC
Data RBAC impact on features
Configure data RBAC for users
Configure data RBAC for data tables
Configure data RBAC for reference lists
Administration
Tasks
Migrate to Google Cloud
View my SOAR customer ID
Collect SOAR logs
Manage API Keys
Let Google Support access your instance
Define a landing page
Create a blocklist to exclude entities from alerts
Create custom lists
Create email HTML templates
Create email templates
Define domains for MSSPs
Manage environment load balancing
Create user requests
Manage networks
Set the SLA
Use dynamic variables in email HTML templates
Open a ticket for Google Support
Define system data retention
Monitor user activities (Audit)
Rebrand overview
Set time zone for all users (Admin)
Set up your email
View and change service limits
Manage properties metadata
Retrieve raw Python logs
Google Analytics in Google SecOps
Data retention
Audit logs
Google SecOps CLI user guide
Google SecOps Marketplace
Use the Google SecOps Marketplace
Run use cases
Power Ups overview
Connectors
Email utilities
Enrichment
File utilities
Functions
GitSync
TemplateEngine
Insights
Lists
Tools
SIEM
SIEM standalone Table of Contents
Configure user preferences (SIEM only)
SOAR
SOAR standalone Table of Contents
Work with users (SOAR only)
Manage users
Types of users
Email invitation prerequisites
Manage password settings
Case management federation (SOAR only)
Clean up after removing SOAR
SAML overview (SOAR only)
Authenticate users using SSO
Configure SAML for Google Workspace
Configure SAML for Microsoft Azure
Configure Okta in Google SecOps SOAR
Troubleshoot SAML issues in Google SecOps SOAR
Configure just-in-time user provisioning
Map IdP groups to SOAR roles
Configure multiple SAML providers
Collect Google SecOps SOAR logs