Google SecOps Integration: New Detection Pipeline Connects Chronicle to Sentinel

What Changed

New Microsoft Sentinel solution for Google SecOps (formerly Chronicle) providing complete integration pipeline with detection ingestion, normalization, and alerting capabilities.

Data Source

Google SecOps is Google cloud-native SIEM and security analytics platform (previously known as Chronicle). This solution ingests security detections including:

• Detection alerts from Google Security Operations platform
• Google Cloud Threat Intelligence (GCTI) threat findings
• Single event alerts and multi-event correlated alerts

Ingestion Mechanism

Function App-based ingestion using dual Azure Functions:

• GoogleSecOpsToStorage: Polls Google SecOps API and stages raw detection data to Azure File Share
• AzureStorageToSentinel: Processes staged data and ingests via Logs Ingestion API (DCR)

Populates the custom table GoogleSecOpsDetectionAlerts_CL in Microsoft Sentinel.

Detection Surface Unlocked

This integration provides visibility into Google security detections and threat intelligence findings, enabling SOCs to:

• Monitor Google Workspace threats detected by Chronicle
• Correlate Google cloud security events with Microsoft ecosystem data
• Track threats identified by Google Cloud Threat Intelligence

Bundled Content

• 4 Analytic Rules: Detection alerts, GCTI findings, single/multi-event correlation
• 1 Parser: Normalizes raw Google SecOps detection data
• Sample Data: DetectionAlerts_CL test dataset

MITRE Coverage

Covers 12 MITRE ATT&CK techniques including T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter), T1566 (Phishing), T1110 (Brute Force), T1485 (Data Destruction), and T1562 (Impair Defenses).

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/DetectionAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/GoogleSecOpsDetectionAlerts.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/GoogleSecOps.svg
Sample Data/Custom/DetectionAlerts_CL.csv
Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-DetectionAlerts.yaml
Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-GCTIThreatIntelligenceFinding.yaml
Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-MultiEventCorrelatedAlert.yaml
Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-SingleEventAlert.yaml
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/AzureStorageToSentinel/__init__.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/AzureStorageToSentinel/azure_storage_to_sentinel.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/AzureStorageToSentinel/function.json
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/GoogleSecOpsDetectionAlerts_API_FunctionApp.json
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/GoogleSecOpsToStorage/__init__.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/GoogleSecOpsToStorage/function.json
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/GoogleSecOpsToStorage/google_secops_to_storage.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/__init__.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/consts.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/exceptions.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/google_auth.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/google_secops_client.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/logger.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/sentinel.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/SharedCode/state_manager.py
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/azuredeploy_Connector_GoogleSecOpsDetectionAlerts_API_AzureFunction.json
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/host.json
Solutions/GoogleSecOps/Data Connectors/GoogleSecOpsDetectionAlerts/requirements.txt
Solutions/GoogleSecOps/Package/testParameters.json
Solutions/GoogleSecOps/Parsers/GoogleSecOpsDetectionAlerts.yaml
(packaging artefacts: 3.0.0.zip, GoogleSecOpsDetectionAlerts.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GoogleSecops.json, createUiDefinition.json, mainTemplate.json)