As security threats increase in complexity and scale, modern SIEM solutions are becoming key choices by CISOs for consolidating security monitoring and incident response. Organizations relying on Google or Google Cloud infrastructure are increasingly adopting Google Security Operations (SecOps) to unify their security stack and workflows. However, migrating to a new SIEM or keeping logging costs under control can be highly challenging due to small budgets, lack of dedicated IT support, and competing priorities for security teams.
Datadog Observability Pipelines now integrates with Google SecOps (formerly known as Chronicle), Google’s cloud-native SIEM. With Observability Pipelines, you can manage your security data by centralizing log collection and extract, transform, and load (ETL) processes within your own infrastructure and routing logs to Google SecOps.
In this post, we’ll describe how Observability Pipelines can help you:
- Collect, process, and enrich logs for security investigations with Google SecOps
- Simplify SIEM migrations and flexibly route logs to cloud storage
Collect, process, and enrich logs for security investigations with Google SecOps
With Datadog Observability Pipelines, you can standardize log collection and processing before routing the logs to Google SecOps. You can enrich logs with GeoIP information and redact sensitive data before it leaves your environment. Or, using the Grok parser, you can handle unstructured logs from more than 150 sources and create custom parsing rules. By enriching and parsing logs, you gain better insights into Indicators of Compromise (IOCs) and the tactics, techniques, and procedures (TTPs) used by bad actors. Additionally, you can normalize your security logs from sources like Google Workspace Admin, Google Cloud Audit, and Okta by remapping them to the Open Cybersecurity Schema Framework (OCSF) format used by Google SecOps and other top security vendors.
After your security data is transformed, you can use Observability Pipelines to send your logs to Google SecOps. You can take advantage of AI-powered threat detection and automated response playbooks for incident management in Google SecOps to improve your mean time to respond (MTTR).
For example, let’s say you’re the CISO at a large financial services institution that uses Sumo Logic for DevOps troubleshooting and Google SecOps for security. You have decided to split your logs so you can send DevOps logs to Sumo Logic and security logs to Google SecOps. The pipeline used in this scenario is shown below:
With Observability Pipelines, your security team can easily prioritize and route security logs to Google SecOps without losing visibility, sacrificing compliance, or breaking any of your current security or DevOps workflows.
Alternate log destinations
Alternative log destinations include Splunk, Datadog Cloud SIEM, Microsoft Sentinel, CrowdStrike, SentinelOne, and others. See the complete list of destinations.
Simplify SIEM migrations and flexibly route logs to cloud storage
Datadog Observability Pipelines integrates with all major SIEMs, data lakes, logging platforms, and cloud storage providers, giving your security teams flexibility to test new tools without disrupting existing workflows. With Observability Pipelines, you can manage log collection and processing on-premises before routing to multiple destinations to evaluate varying vendors.
For example, if you’re leading a migration from SentinelOne to Google SecOps or Datadog Cloud SIEM, you can configure Observability Pipelines to simultaneously dual ship logs to both destinations. At the same time, you can send full fidelity logs directly to cloud storage solutions like the Google Cloud Storage Archive storage class. Below is an example pipeline for this scenario:
Start using Observability Pipelines to route logs to Google SecOps today
Datadog Observability Pipelines enables you to use the logging platform and security solutions of your choice, including Google SecOps, so that you can support enhanced analytics, improve threat detection, and avoid vendor lock-in. Start sending your logs to Google SecOps with Observability Pipelines by setting up the Google SecOps integration and configuring any processors as needed. Optionally, you can use Observability Pipelines to migrate and send logs directly to Datadog Cloud SIEM. For more information, see our Observability Pipelines documentation.
If you’re new to Datadog, you can sign up for a 14-day free trial.