The Torq Google Cloud Security Operations (SecOps) data connector uses Google’s streaming architecture to deliver detections to your workflows faster and more reliably than traditional polling-based integrations.
Key benefits include:
Reduced response delays: Alerts are delivered to Torq in real time as Google SecOps generates them, no more waiting for scheduled polling intervals.
Simplified setup: There’s no need to configure polling schedules, write custom queries, or manage deduplication logic. The connector handles streaming, state management, and continuity automatically.
Historical backfill: During setup, you can optionally configure an offset to backfill past detections and gain immediate value from the connector.
Event throughput
The Torq SecOps connector supports up to 1,500 incoming events per minute per workspace. If throughput exceeds this rate, events are automatically queued and retried, ensuring no data loss.
Common scenarios
Automated response workflows from Google SecOps detections
The Google SecOps Data Connector lets security teams trigger Torq workflows in real time as detections fire in Google SecOps. Any detection event from your YARA-L rules, such as malware activity, suspicious authentication, potential data exfiltration, or policy violation, can automatically launch end-to-end response workflows in Torq.
Automated case creation and management
For teams using Torq HyperSOC, Google SecOps detections can be used as workflow triggers to create and enrich investigation cases. You define the case-creation logic in your workflows, which can open fully contextualized cases that aggregate detection details, enrichment data, automated actions, and analyst collaboration in a single workspace.
Prerequisites
Google Event Streams [Read] permission scope: Allows Torq to read events from the Google SecOps event streaming API.
How to use
Request API authentication from Google's service representative
Contact your Google SecOps representative: Ask your Google SecOps (Chronicle) representative to enable the necessary Google SecOps (Chronicle) APIs for your environment.
Request a dedicated service account: Have them create a service account with the appropriate Google SecOps IAM roles and permissions for API access.
Obtain the JSON credentials: Ask them to generate a service account key and provide it to you as a JSON file. This account should be dedicated to programmatic access to your SecOps instance.
Store the credentials securely: Download the JSON file and keep it in a secure location. You’ll use it when configuring the Torq Google SecOps data connector.
For details, refer to the following Google documentation:
Use Google SecOps to trigger workflows in Torq
To ingest SecOps alerts in Torq, you must create a Google SecOps trigger integration.
Navigate to Integrations: In Torq, go to Build > Integrations > Triggers.
Activate the Google SecOps streaming integration: Find the integration in your list and click its icon.
Set up a streaming instance:
Enter the instance name: In the Instance name field, type a name for your integration (e.g., Google SecOps).
Specify the location: In the Location field, enter the region of your SecOps instance (e.g., us).
Provide the Instance ID: Paste your Google SecOps Instance ID into the corresponding field.
Provide the Project ID: Enter the Project ID associated with your Google Cloud project.
Upload the Service Account JSON: Click Attach JSON file and upload the service account key file you received from your Google SecOps representative.
Optionally set ingestion backfill: If needed, configure Set past data ingestion period (up to 6 days, 23 hours, and 30 minutes) to backfill historical detection alerts. Use the following format:
XdXhXm(e.g., 6d23h30m).
When you edit an existing Google SecOps instance, the past data ingestion period cannot be changed. To change it, delete the instance and create a new one.
You’ve successfully set up the Google SecOps integration in Torq. With the instance configured, Torq can now securely stream detections from your Google SecOps environment in real time and automatically trigger workflows and case actions based on those events.