Skip to main content

SIEM 2.0 — Google Security Operations (Google SecOps)

One-liner
We’re migrating from Splunk to Google SecOps to build a cloud-native SIEM/SOAR with better scale, speed, and automation—while running both systems in parallel until cutover.

oaicite:0


Why we’re moving

  • Cloud-native SIEM + SOAR, fast search, Google/Mandiant threat intel, natural-language investigations, hybrid/multi-cloud support.
    oaicite:1
  • Aligns with ABB’s cloud adoption and cyber-resilience goals and reduces TCO.
    oaicite:2

Scope & objectives

  • Migrate all logs currently sent to Splunk to Google SecOps (Chronicle).
  • Keep Splunk and SecOps in parallel through the pilot/UAT phases; decommission Splunk after cutover decision.
    oaicite:3

Migration approach

  • Phased rollout: pilot → UAT → production cutover; dataset migration tracked per asset.
    oaicite:4
  • Status: configuration phase; collecting site/asset inputs to select the best install path. Sessions and knowledge base are published for all stakeholders.
    oaicite:5

Agent installation options (per server)

  1. Remote automated — centrally executed by the SIEM team (PowerShell/Bash via Defender XDR, Qualys, Ansible).
  2. Manual install — by server managers using step-by-step docs and one-click installers.
  3. Manual configuration (no agent) — forward logs directly (e.g., syslog) when required.
    Fallbacks are defined; no duplicate records when VMs are rolled back or cloned.
    oaicite:6

Compatibility

  • Most Windows and Linux platforms supported. AIX/Solaris use syslog integration; ESXi already forwards via syslog (no agent). Compatibility matrices are in the docs.
    oaicite:7

Network & firewall (summary)

Global rules exist across ABB; local exceptions are rare and handled case-by-case. Key ports:

  • 4317/4318 TCP — OTLP ingestion (agent/gateway).
  • 8888 TCP — Bindplane metrics (agent→gateway).
  • 443 TCP — Bindplane console, Google SecOps, GitHub, proxies.
    Proxy allow-list: *.bindplane.com, *.googleapis.com, 34.120.255.184, GitHub path for installer. Details and IDMZ flows are in the FAQ tables.
    oaicite:8

Access & audit

  • Access model mirrors Splunk (search/reporting). Request flow will be published; dashboards for ingestion/asset status are planned. Target: by go-live (≈June). Retention stays 18 months.
    oaicite:9

Performance & operations

  • Agent impact measured at ~1–3% CPU/RAM on tested hosts; no reboot required. Parallel Splunk+SecOps forwarding temporarily doubles egress volume.
    oaicite:10

Support model

  • Contact Global SOC Engineering mailbox; response target ≤48h for installation issues. Escalations and dedicated sessions for complex environments on request.
    oaicite:11

Timeline highlights

  • Pilot/UAT completed/ongoing; remote installs show 75–80% success rate.
  • Phase 2 (from July): new servers onboard directly to SecOps; Splunk agent no longer installed on new builds.
    oaicite:12

What we need from you

  • Confirm your preferred installation method for each asset (form link in comms).
    oaicite:13
  • Prepare local firewalls if you manage IDMZ rules; global rules are already in place.
    oaicite:14
  • Use the FAQ and Technical FAQ for live answers; recordings and guides are on the knowledge base.
    oaicite:15

Follow-ups (from meeting)

  • Share firewall/IP/port reference pack to all teams.
    oaicite:16
  • Publish tested-asset list and OS compatibility snapshot.
    oaicite:17
  • Add performance charts and method notes to FAQ.
    oaicite:18
  • Schedule deep-dives for distinct/critical environments (per BU/site).
    oaicite:19
  • Keep the live Technical FAQ updated daily with new Q&A.
    oaicite:20

  • Webinar deck — SIEM 2.0 Google SecOps Webinar (Jan 2026).
    oaicite:21
  • Knowledge base — Google SecOps Configuration hub (sessions, contacts, comms).
    oaicite:22
  • Technical FAQ — compatibility, ports, install/rollback, retention, access.
    oaicite:23