Google SecOps: Streamline Detection and Response with Tenzir

We're excited to announce native support for Google Security Operations (SecOps), Google Cloud's flagship platform for scalable threat detection, investigation, and response. With this new integration, Tenzir users can now send events directly to Google SecOps, making it easier than ever to feed rich telemetry into SecOps via the unstructured logs ingestion API.

Why It Matters

Google SecOps offers a cloud-native SIEM and SOAR suite built for speed, scale, and insight. For organizations already leveraging SecOps to centralize their security telemetry, the ability to seamlessly route logs from Tenzir pipelines into SecOps provides three key benefits:

• Improved cost control: After Google SecOps switched to ingest-based pricing, it's more important than ever to have full control over what you send and what not.

• Comprehensive enrichment: Enrich everything, then decide what you need. Leverage the fact that you still have all data in the pipeline

• Operational simplicity: Use a single TQL pipeline to transform and transmit events in real time.

The Integration

At the heart of the integration is the to_google_secops operator that sends pipeline events directly to the Unstructured Log Entries API. With just a few lines of TQL, you can connect your data with Google's security stack.

Here's a micro pipeline that send a crafted DNS log entry to Google SecOps:

from {log: "31-Mar-2025 01:35:02.187 client 0.0.0.0#4238: query: tenzir.com IN A + (255.255.255.255)"}
to_google_secops \
  customer_id="00000000-0000-0000-00000000000000000",
  private_key=secret("my_secops_key"),
  client_email="somebody@example.com",
  log_text=log,
  log_type="BIND_DNS",
  region="europe"

This example takes a single log line and sends it to Google SecOps with the correct metadata, authentication, and regional routing.

All you need to get started is a Chronicle customer ID and a service account key configured via Google's Application Default Credentials. Tenzir handles the rest—formatting, authentication, and delivery.

Built for Composability

Like everything in Tenzir, this integration is designed to fit into your composable security data fabric. Use the new operator in conjunction with any source, enrichment along the way, or deduplicate what's too much—anything that sharpens your telemetry before it lands in Chronicle.

Get Started

To try it out today, visit the documentation and plug it into your next pipeline. Whether you're enriching logs, pivoting through petabytes, or building an automated threat detection system, this integration makes Google SecOps a natural endpoint for your security data.

Let us know how this new feature works for you—we love your feedback! There are many directions to go from here. One exciting possibility is supporting the UDM API endpoint in addition to the one for unstructured logs. This could come in handy when mapping your events with TQL directly into UDM, especially in cases where SecOps does not natively support your log format.