Sends raw logs, UDM events, or entities to a Google SecOps Chronicle instance.
to_google_secops [mode=string,] project=string, region=string, instance=string, [service_credentials=secret, log_type=string, log_text=blob|string, log_entry_time=time, collection_time=time, labels=record, forwarder=string, hint=string, source_filename=string, namespace=string, max_request_size=int, max_batch_events=int, batch_timeout=duration, parallel=int]Description
Section titled “Description”The to_google_secops operator ingests telemetry via the Google SecOps Chronicle
import APIs:
mode="raw_log"sends raw logs to thelogs.importAPI.mode="udm_event"sends each input row as a UDM event to theevents.importAPI.mode="udm_entity"sends each input row as an entity to theentities.importAPI.
mode = string
Section titled “mode = string”Selects the ingestion mode. Must be raw_log, udm_event, or udm_entity.
Defaults to raw_log.
project = string
Section titled “project = string”The Google Cloud project that owns the SecOps instance.
region = string
Section titled “region = string”The SecOps location. This also selects the regional API host.
instance = string
Section titled “instance = string”The SecOps instance ID.
service_credentials = secret (optional)
Section titled “service_credentials = secret (optional)”Full service-account JSON to use for Google Cloud OAuth2 authentication. Use a secret value for credentials in production.
When omitted, the operator uses Google Application Default Credentials.
log_type = string
Section titled “log_type = string”The raw log type or entity log type. Required when mode="raw_log" or
mode="udm_entity".
For raw logs, this selects the SecOps log type in the logs.import resource
path. For entities, this sets the logType field in the entities.import
request. Use a context source log type accepted by your SecOps instance, such as
AZURE_AD_CONTEXT for Azure AD user context. This is not the same as the UDM
entity type, such as USER or ASSET.
UDM and Entity Field Names
Section titled “UDM and Entity Field Names”UDM events and entities are sent as ingestion API JSON. Shape these rows with
Google’s lowerCamelCase ingestion field names, such as metadata.eventType and
metadata.entityType. Query field names in SecOps search and YARA-L often use
snake_case, such as metadata.event_type; those are not the field names to send
to the import APIs. The operator forwards each UDM or entity row as-is and does
not translate field names.
log_text = blob|string
Section titled “log_text = blob|string”The raw log text. String values must contain valid UTF-8. Blob and string values are base64-encoded before they are sent to SecOps.
Required when mode="raw_log".
log_entry_time = time
Section titled “log_entry_time = time”The timestamp of the raw log entry. Required when mode="raw_log".
collection_time = time
Section titled “collection_time = time”The time at which the raw log entry was collected. Google requires this to be
after log_entry_time. Required when mode="raw_log".
labels = record (optional)
Section titled “labels = record (optional)”A record of custom metadata labels to attach to raw logs.
String values default to rbacEnabled=false. To allow a label to be used for
Google SecOps Data RBAC, use the structured form:
labels={ env: "prod", tenant: {value: "acme", rbac_enabled: true},}Only valid when mode="raw_log".
forwarder = string (optional)
Section titled “forwarder = string (optional)”The SecOps forwarder name to attach to raw logs.
Only valid when mode="raw_log".
hint = string (optional)
Section titled “hint = string (optional)”The parser hint to pass to the logs.import API.
Only valid when mode="raw_log".
source_filename = string (optional)
Section titled “source_filename = string (optional)”The source filename to attach to raw logs.
Only valid when mode="raw_log".
namespace = string (optional)
Section titled “namespace = string (optional)”The environment namespace for raw logs.
Only valid when mode="raw_log".
max_request_size = int (optional)
Section titled “max_request_size = int (optional)”The maximum number of bytes in the uncompressed request payload.
Defaults to 2M. Values must be between 100k and 4M.
max_batch_events = int (optional)
Section titled “max_batch_events = int (optional)”The maximum number of events to include in one import request.
Defaults to 1k. Must be at least 1.
batch_timeout = duration (optional)
Section titled “batch_timeout = duration (optional)”The maximum duration to wait for new events before sending the request.
Defaults to 5s.
parallel = int (optional)
Section titled “parallel = int (optional)”The maximum number of concurrent import requests.
Defaults to 50. Must be at least 1.
Examples
Section titled “Examples”Send Raw Logs
Section titled “Send Raw Logs”from {log: "31-Mar-2025 01:35:02.187 client 0.0.0.0#4238: query: tenzir.com IN A + (255.255.255.255)"}to_google_secops \ mode="raw_log", project="my-project", region="us", instance="my-secops-instance", service_credentials=secret("my_secops_service_account"), log_text=log, log_type="BIND_DNS", log_entry_time=2026-01-01T00:00:00, collection_time=2026-01-01T00:00:01, labels={tenant: {value: "acme", rbac_enabled: true}}, forwarder="forwarder-1", hint="bind-dns", source_filename="named.log"Send UDM Events
Section titled “Send UDM Events”from { metadata: { eventTimestamp: 2026-01-01T00:00:00, collectedTimestamp: 2026-01-01T00:00:01, eventType: "NETWORK_CONNECTION", vendorName: "Tenzir", productName: "Tenzir Pipeline", productVersion: "dev", productEventType: "connection", productLogId: "tenzir-udm-001", description: "Network connection observed by Tenzir", }, principal: { hostname: "host.example", ip: ["192.0.2.10"], user: { userid: "alice", emailAddresses: ["alice@example.com"], }, }, target: { hostname: "service.example", ip: ["198.51.100.20"], port: 443, }, network: { applicationProtocol: "HTTPS", ipProtocol: "TCP", sentBytes: 1250, receivedBytes: 4096, }, securityResult: [{ action: ["ALLOW"], severity: "LOW", }], additional: { fields: { sourcePipeline: {stringValue: "to_google_secops-example"}, marker: {stringValue: "tenzir-udm-rich"}, }, },}to_google_secops \ mode="udm_event", project="my-project", region="us", instance="my-secops-instance", service_credentials=secret("my_secops_service_account")Send Entities
Section titled “Send Entities”from { metadata: { collectedTimestamp: 2026-01-01T00:00:01, vendorName: "Tenzir", productName: "Tenzir Pipeline", entityType: "USER", }, entity: { user: { userid: "alice@example.com", productObjectId: "alice-0001", userDisplayName: "Alice Example", emailAddresses: ["alice@example.com", "alice@corp.example"], employeeId: "E0001", title: "Security Analyst", companyName: "Example Corp", department: "Security Operations", }, }, additional: { fields: { sourcePipeline: {stringValue: "to_google_secops-example"}, marker: {stringValue: "tenzir-entity-rich"}, }, },}to_google_secops \ mode="udm_entity", project="my-project", region="us", instance="my-secops-instance", service_credentials=secret("my_secops_service_account"), log_type="AZURE_AD_CONTEXT"