SIEM 2.0 — Google Security Operations (Google SecOps)
One-liner
We’re migrating from Splunk to Google SecOps to build a cloud-native SIEM/SOAR with better scale, speed, and automation—while running both systems in parallel until cutover.
oaicite:0
Why we’re moving
- Cloud-native SIEM + SOAR, fast search, Google/Mandiant threat intel, natural-language investigations, hybrid/multi-cloud support. oaicite:1
- Aligns with ABB’s cloud adoption and cyber-resilience goals and reduces TCO. oaicite:2
Scope & objectives
- Migrate all logs currently sent to Splunk to Google SecOps (Chronicle).
- Keep Splunk and SecOps in parallel through the pilot/UAT phases; decommission Splunk after cutover decision. oaicite:3
Migration approach
- Phased rollout: pilot → UAT → production cutover; dataset migration tracked per asset. oaicite:4
- Status: configuration phase; collecting site/asset inputs to select the best install path. Sessions and knowledge base are published for all stakeholders. oaicite:5
Agent installation options (per server)
- Remote automated — centrally executed by the SIEM team (PowerShell/Bash via Defender XDR, Qualys, Ansible).
- Manual install — by server managers using step-by-step docs and one-click installers.
- Manual configuration (no agent) — forward logs directly (e.g., syslog) when required.
Fallbacks are defined; no duplicate records when VMs are rolled back or cloned.oaicite:6
Compatibility
- Most Windows and Linux platforms supported. AIX/Solaris use syslog integration; ESXi already forwards via syslog (no agent). Compatibility matrices are in the docs. oaicite:7
Network & firewall (summary)
Global rules exist across ABB; local exceptions are rare and handled case-by-case. Key ports:
- 4317/4318 TCP — OTLP ingestion (agent/gateway).
- 8888 TCP — Bindplane metrics (agent→gateway).
- 443 TCP — Bindplane console, Google SecOps, GitHub, proxies.
Proxy allow-list:*.bindplane.com,*.googleapis.com,34.120.255.184, GitHub path for installer. Details and IDMZ flows are in the FAQ tables.oaicite:8
Access & audit
- Access model mirrors Splunk (search/reporting). Request flow will be published; dashboards for ingestion/asset status are planned. Target: by go-live (≈June). Retention stays 18 months. oaicite:9
Performance & operations
- Agent impact measured at ~1–3% CPU/RAM on tested hosts; no reboot required. Parallel Splunk+SecOps forwarding temporarily doubles egress volume. oaicite:10
Support model
- Contact Global SOC Engineering mailbox; response target ≤48h for installation issues. Escalations and dedicated sessions for complex environments on request. oaicite:11
Timeline highlights
- Pilot/UAT completed/ongoing; remote installs show 75–80% success rate.
- Phase 2 (from July): new servers onboard directly to SecOps; Splunk agent no longer installed on new builds. oaicite:12
What we need from you
- Confirm your preferred installation method for each asset (form link in comms). oaicite:13
- Prepare local firewalls if you manage IDMZ rules; global rules are already in place. oaicite:14
- Use the FAQ and Technical FAQ for live answers; recordings and guides are on the knowledge base. oaicite:15
Follow-ups (from meeting)
- Share firewall/IP/port reference pack to all teams. oaicite:16
- Publish tested-asset list and OS compatibility snapshot. oaicite:17
- Add performance charts and method notes to FAQ. oaicite:18
- Schedule deep-dives for distinct/critical environments (per BU/site). oaicite:19
- Keep the live Technical FAQ updated daily with new Q&A. oaicite:20
Quick links
- Webinar deck — SIEM 2.0 Google SecOps Webinar (Jan 2026). oaicite:21
- Knowledge base — Google SecOps Configuration hub (sessions, contacts, comms). oaicite:22
- Technical FAQ — compatibility, ports, install/rollback, retention, access. oaicite:23