Google SecOps Standardization
Overview
The Google SecOps Standardization processor prepares logs for ingestion into Google SecOps by attaching the Chronicle parser metadata and optional ingestion labels.
Supported types: Logs
Configuration
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
| ottl_expression | string | none | No | OTTL condition used to determine when this processor should be applied. |
| log_type | string | none | Yes | The Chronicle log_type parser value used by Google SecOps. |
| namespace | string | none | No | Chronicle namespace associated with the ingested logs. |
| ingestionLabels | object[string,string] | none | No | Key-value labels to attach for Chronicle ingestion. |
Note Use
ingestion_labelsto attach additional Chronicle ingestion metadata as key-value pairs.
Rules
When building the ottl_expression, the UI exposes rule-based conditions.
Attributes
| Parameter | Type | Description |
|---|---|---|
| Attribute Key | string | The attribute key to evaluate. Supported values: attribute; resource; log; span; metric (fields: aggregation_temporality; description; is_monotonic; name; type; unit); datapoint (fields: count; negative.offset; positive.offset; scale; sum; value_double; value_int; zero_count) |
| Operator | string | The operator to use for comparison. Supported values: equals; not equals; starts with; ends with; contains; regex; ==; !=; <; >; >=; <=; is boolean; is integer; is double; is map; is string; exists; not exists |
| Value | string | The value to compare against |
Note: Multiple rules can be combined in the UI using logical operators such as
ANDorOR, and the resulting rule set is converted into the finalottl_expression.
Example Configuration
{
"ottl_expression": "", // default: none
"log_type": "", // required, default: none
"namespace": "", // default: none
"ingestionLabels": {
"environment": "production",
"team": "security",
}, // default: none
}