Google SecOps data processing pipeline (integration)
Google documents the platform capability as Set up and manage data processing pipelines in Google Security Operations (Chronicle)—covering logProcessingPipeline resources, stream binding, and how processing runs before or during ingestion. Read that guide for Chronicle terminology, limits, and console workflows; use this page for how Praxis models the same idea and calls the processing APIs on your behalf.
Use this Praxis flow when your goal is to shape SecOps-bound logs in Chronicle—filtering, transforming, and redacting before or during ingestion—consistent with the data processing pipeline product model. You design the graph in Praxis, bind it to your Google SecOps tenant details and credentials, and keep it aligned with Chronicle’s processing APIs.
Not the collector “export” path — If you only need to ship logs from Praxis collectors into SecOps over gRPC or HTTPS (malachite / ImportLogs), use the Google SecOps destination instead. This topic is for management-plane pipelines that orchestrate Chronicle
logProcessingPipelines—a separate pipeline type and integration record in Praxis.
Outcomes you can drive
- Choose streams — Scope by log type, feeds, ingestion methods, and optional collector or feed hints.
- Shape data before SecOps — Apply transforms, OTTL filters, and redaction/masking using SecOps-oriented processors.
- Tie graphs to your SecOps account — Point the destination at a saved Google SecOps Data Processing integration so Praxis can call Chronicle with your project, region, and customer context.
- Stay aligned with Chronicle — Optionally sync a remote
logProcessingPipelinewith your draft in Praxis (streams → processors → Google SecOps Data Processor Integration withintegration_id).
Before you build a pipeline: create the integration
In Praxis, add an integration that uses the Google SecOps Data Processing definition (integration_ref: secops). You will supply:
| Field | Required | Description |
|---|---|---|
| Region | Yes | Chronicle / SecOps region (for example us) used in API host selection and resource paths. |
| Customer ID | Yes | SecOps customer / instance identifier (used for processing API calls and instance resolution). |
| GCP Project ID | Yes | Google Cloud project that hosts the SecOps / Chronicle instance. |
| GCP Project Number | No | Optional project number when your org documents it. |
Attach Google SecOps credentials (JSON or file) as your security team expects. Praxis stores the metadata needed to resolve project, region, and customer when you publish or list pipelines.
You can optionally turn on scheduled sync so background jobs refresh pipeline state on an interval you define.
What your SecOps pipeline looks like in Praxis
A SecOps pipeline (pipeline_type: secops) uses three roles that mirror how Chronicle thinks about processing:
| Role | Node (examples) | Purpose |
|---|---|---|
| Source | SecOps Streams | One or more streams (log_type, optional ingestion_methods, collector_id, feed). |
| Processors | SecOps-tuned transform, filter, masking / redaction, JSON and related processors | Pre-ingestion transforms, route/filter by condition, redact sensitive fields. The API exposes SecOps-allowed processor types by category (transformation, filters, masking, …). |
| Destination | Google SecOps Data Processor Integration | integration_id references your saved Google SecOps Data Processing integration; optional region / project / instance / target overrides. |
If you import an existing Chronicle pipeline, Praxis builds a comparable graph: SecOps Streams source, a grouped processor chain when Chronicle has multiple steps, and a Google SecOps Data Processor Integration destination that carries integration_id and target hints from the remote resource.
Behind the scenes: how Praxis calls Chronicle
On your behalf, Praxis uses Chronicle REST APIs for logProcessingPipelines (for example fetch-by-stream, list, create, update) with:
- Target coordinates from your integration (project, location, instance, customer as required).
- Credentials you attached (bearer / Google SecOps JSON, and options such as
use_local_gcloudwhere supported).
What that lets you do in practice:
- Fetch the pipeline tied to a stream — Start from
log_type(and optional feed or collector hints) to pull the upstream definition for review or editing. - Publish changes — Create or update
logProcessingPipelineresources in Chronicle while Praxis keeps a local pipeline record and optional sync metadata (remote name, timestamps).
For API semantics, stream and pipeline lifecycle, and Google-side configuration, use Set up and manage data processing pipelines on Google Cloud as the source of truth; use Praxis API and UI behavior for how drafts, publish, and integration records are stored in your tenant.
Related paths you might need
| Your goal | Where to read |
|---|---|
| Send logs from collectors to SecOps (gRPC / HTTPS export) | Google SecOps destination |
Set log_type / namespace in native (non–data-processing) pipelines | Google SecOps standardization |
| Install collectors or a Praxis Gateway | Installation overview |
| Metric-based alerts | Monitors |
See also
- Set up and manage data processing pipelines — Google Cloud documentation for Chronicle / Google SecOps ingestion and
logProcessingPipeline(official reference) - SecOps Streams (source)
- Google SecOps Data Processor Integration (destination)