Query announces the Google Security Operations SIEM Connector!
Query Federated Search now supports a Connector for Google Security Operations (SecOps) SIEM — formerly known as Google Chronicle — bringing federated search to your Google SecOps instances!
Google SecOps is a cloud service built on Google’s infrastructure, enabling enterprises to securely retain, analyze, and search large volumes of security and network telemetry. It normalizes, indexes, and correlates data to provide instant insights into risky activities. With prebuilt integrations for workflow, response, and orchestration platforms, it helps detect, investigate, and remediate threats. Google SecOps allows long-term access to aggregated security data and enables precise searches across assets, domains, or IPs to identify potential compromises.
Google SecOps provides “always on” enrichment that takes the data normalized into the Unified Data Model (UDM) and identifies important assets and indicators and adds in geolocation data, reputation data, and other types of enrichment and also normalizes that into UDM. This allows customers to concentrate on searching for behaviors and indicators without having to rely on expensive post-hoc enrichment, playbooks, or pivoting out of Google SecOps.
Query integrating with Google SecOps allows customers to connect into Google SecOps SIEM and dispatch searches without having to write any UDM. Query’s Configure Schema no-code workflow allows you to transform UDM into the Query Data Model (QDM) as well as Entities, which are broad-based search criteria that are based off of Open Cybersecurity Schema Framework (OCSF) Observables to facilitate quick searches that are not supported by UDM.
Query handles query translation and query planning all expressed in QDM/OCSF terms based off of Google SecOps Feeds. This allows for very specific searching across very specific datasets onboarded into Google SecOps as well as parallelized searches for similar datapoints to sources outside of Google SecOps such as data lakes, date warehouses, and direct APIs such as Amazon Security Lake, Snowflake, and Crowdstrike Falcon API. This allows you to keep the data that makes sense to put inside of Google SecOps, and keep the other data in the parts that make the most sense for them.
For instance, customers can use Google SecOps SIEM to ingest data from Google Security Center and Google Cloud API logs and keep data such as EDR, Identity, and network security data in their own sources. Query Federated Search will parallelize the searches across all of those systems and collate the data back to you for further analysis, pivoting, investigations, and automation use cases.
In another example, customers can use the data from the various Feeds to structure the data points as Detection Findings or Incident Findings to collect “evidence against” for their searching. You can onboard a feed of Entra ID Alerts, Microsoft Defender Alerts, and CSPM findings from Google Security Operations and map the UDM from those feeds into a Detection Finding, dispatch a search by Severity, and use it to create security architecture workstreams.
For more information, check out our Product Documentation or reach out to our sales team if you would like to see the Connector yourself!
