Introduction to Google Security Operations (SIEM)

Google Cloud via Coursera

Go to class Write review

Overview

Google, IBM & Meta Certificates — All 10,000+ Courses at 40% Off

One annual plan covers every course and certificate on Coursera. 40% off for a limited time.

Get Full Access

This course provides a comprehensive, end-to-end exploration of Google SecOps SIEM, guiding learners from foundational concepts to advanced investigation and detection engineering. Participants will gain hands-on experience with data ingestion, normalization, RBAC configuration, searching, and dashboarding using both legacy and native capabilities. Through structured modules, demos, and curated examples, the course emphasizes real-world investigation workflows, UDM-based analytics, and YARA-L rule development. By the end of the course, learners will be equipped to operationalize SIEM effectively within their environment and build scalable processes for detection, investigation, and reporting.

Syllabus

Intro to SIEM

This module introduces the foundational concepts of Google SecOps SIEM, providing learners with a clear understanding of the platform’s purpose, architecture, and data model. It covers key elements such as SIEM-supported ingestion methods, RBAC fundamentals, the Unified Data Model (UDM), normalization workflows, and the core search and visualization capabilities available in the SIEM interface. Learners will explore how detections are structured and how SIEM transforms raw logs into normalized, enriched events. By the end of the module, participants will have a strong conceptual baseline for how data flows through SIEM and how analysts interact with it in daily operations. This Module serves to give just the short topic introductions - there will be a deepdive to all of these topics and more in the respective learning modules.

SIEM Setup

This module provides a comprehensive walkthrough of setting up Google SecOps SIEM, focusing on the full lifecycle of data onboarding, access control, and normalization. Learners will explore every supported ingestion path—direct collectors, third-party APIs, cloud storage buckets, streaming services, and on-prem deployments using BindPlane—understanding when and how each method is used. The module also dives deeply into SIEM’s RBAC framework, covering feature-level permissions, data-scoped access, scopes, labels, and practical strategies for implementing secure, least-privileged operations. Finally, learners will work through normalization concepts and parser management to ensure that ingested logs are structured, transformed, and enriched according to UDM best practices. By the end, participants will be able to deploy a fully functional and well-governed SIEM ingest pipeline.

SIEM Investigation

This module provides a comprehensive walkthrough of investigating security events within Google SecOps SIEM, focusing on how analysts move from raw log exploration to structured, hypothesis-driven investigations using UDM. Learners will begin with raw log search techniques to understand how data enters the platform and how to quickly validate ingestion, timestamps, and source context. The module then introduces the UDM schema and field families, explaining how normalization enables consistent querying across disparate data sources. Participants will progress to UDM search and statistical aggregation, learning how to pivot, group, and correlate events using structured queries and data tables. Through practical demos and guided examples, learners will develop efficient investigation workflows that combine raw logs, UDM searches, and aggregations to identify suspicious behavior, validate detections, and support incident response decisions.

SIEM Dashboards

This module provides a comprehensive overview of dashboards in Google SecOps SIEM, focusing on how dashboards are used to visualize, monitor, and operationalize security data. Learners will begin with an introduction to curated dashboards and out-of-the-box content, understanding when and how to use prebuilt views versus custom dashboards. The module then guides participants through building YARA-L queries for dashboards, applying effective filtering techniques to focus on relevant signals and reduce noise. Advanced native dashboard functionalities are explored, including interactive widgets, drill-downs, and performance considerations, followed by an overview of legacy SIEM dashboards and how they differ from native dashboards. By the end of the module, learners will be able to design and maintain dashboards that provide clear, actionable security insights for both analysts and stakeholders.

SIEM Detections

This module provides a comprehensive introduction to detection engineering in Google SecOps SIEM, focusing on building, testing, and optimizing detections using YARA-L. Learners will begin by exploring curated detection categories, rule sets, and rule dependencies to understand how detections are organized and deployed at scale. The module then dives into YARA-L rule construction, covering rule structure, variables, regex string matching, reference lists, repeated fields, and core YARA-L functions. Participants will learn how to design single-event, multi-event, and composite rules, leverage entity context and the entity graph to enhance detection fidelity, and understand how events are transformed into alerts. Finally, learners will practice rule testing and optimization techniques to improve performance, accuracy, and maintainability of detections in production environments.