This module provides a comprehensive walkthrough of setting up Google SecOps SIEM, focusing on the full lifecycle of data onboarding, access control, and normalization. Learners will explore every supported ingestion path—direct collectors, third-party APIs, cloud storage buckets, streaming services, and on-prem deployments using BindPlane—understanding when and how each method is used. The module also dives deeply into SIEM’s RBAC framework, covering feature-level permissions, data-scoped access, scopes, labels, and practical strategies for implementing secure, least-privileged operations. Finally, learners will work through normalization concepts and parser management to ensure that ingested logs are structured, transformed, and enriched according to UDM best practices. By the end, participants will be able to deploy a fully functional and well-governed SIEM ingest pipeline.

This module provides a comprehensive walkthrough of investigating security events within Google SecOps SIEM, focusing on how analysts move from raw log exploration to structured, hypothesis-driven investigations using UDM. Learners will begin with raw log search techniques to understand how data enters the platform and how to quickly validate ingestion, timestamps, and source context. The module then introduces the UDM schema and field families, explaining how normalization enables consistent querying across disparate data sources. Participants will progress to UDM search and statistical aggregation, learning how to pivot, group, and correlate events using structured queries and data tables. Through practical demos and guided examples, learners will develop efficient investigation workflows that combine raw logs, UDM searches, and aggregations to identify suspicious behavior, validate detections, and support incident response decisions.

This module provides a comprehensive overview of dashboards in Google SecOps SIEM, focusing on how dashboards are used to visualize, monitor, and operationalize security data. Learners will begin with an introduction to curated dashboards and out-of-the-box content, understanding when and how to use prebuilt views versus custom dashboards. The module then guides participants through building YARA-L queries for dashboards, applying effective filtering techniques to focus on relevant signals and reduce noise. Advanced native dashboard functionalities are explored, including interactive widgets, drill-downs, and performance considerations, followed by an overview of legacy SIEM dashboards and how they differ from native dashboards. By the end of the module, learners will be able to design and maintain dashboards that provide clear, actionable security insights for both analysts and stakeholders.

This module provides a comprehensive introduction to detection engineering in Google SecOps SIEM, focusing on building, testing, and optimizing detections using YARA-L. Learners will begin by exploring curated detection categories, rule sets, and rule dependencies to understand how detections are organized and deployed at scale. The module then dives into YARA-L rule construction, covering rule structure, variables, regex string matching, reference lists, repeated fields, and core YARA-L functions. Participants will learn how to design single-event, multi-event, and composite rules, leverage entity context and the entity graph to enhance detection fidelity, and understand how events are transformed into alerts. Finally, learners will practice rule testing and optimization techniques to improve performance, accuracy, and maintainability of detections in production environments.