Key Capabilities
Why teams choose DataStream for Google SecOps
Everything Google SecOps needs from a pipeline – and nothing your team has to build from scratch.
Reliable detections
Deterministic, stable UDM normalization eliminates silent parser drift and ensures detection rules fire consistently across SecOps.
Faster ingestion
Skip Google-side parsing overhead. Pre-normalized data ingests directly into Google SecOps as UDM events, reducing latency.
Multi-destination routing
One normalization pipeline feeds SecOps, BigQuery, Cloud Storage, or other SIEMs without re-parsing.
Schema governance
Detect field drift and schema mismatches before data reaches Google Cloud. Enforce compliance and consistency.
Lower ingest costs
Three-layer reduction: field normalization, policy-controlled event filtering, and intelligent sampling. Combined reduction reaches 50–90%, cutting BigQuery and Pub/Sub costs significantly.
Vendor flexibility
Not locked into Google-only. Route normalized data to any SIEM or cloud warehouse via a single control plane.
ARCHITECTURE
How DataStream works
A multi-stage pipeline that processes raw logs before they reach Google SecOps: each step improves data quality and reduces ingest cost.
Ingest
Logs from any source via agents, agentless (WinRM/SSH), Syslog, CEF, LEEF, REST APIs, and direct connectors
Parse & normalize
UDM-aware parsers map source fields to Google SecOps log types; custom log types defined for sources without native SecOps parser support
Enrich & validate
Namespace and label assignment, schema validation against UDM structure, and per-event log type control
Filter & optimize
Deduplication, sampling, and field extraction reduce log volume by 50–90% before transmission without losing security-relevant events
Route & deliver
Multi-stage routing: UDM-normalized events → Google SecOps, full dataset → Google BigQuery, raw logs in Parquet format → Google Cloud Storage
API & authentication
- Google SecOps Ingestion API (V1 and V2)
- Service account (OAuth2) and API key authentication
- Regional endpoint support across 19 global regions
- High-throughput batching with configurable batch size and retry logic
- Debug mode with dry-run support for safe pipeline testing
UDM components
- Pre-built log type mappings for common sources (FIREWALL_LOG, WINDOWS_EVENT, SYSLOG, and more)
- Custom log type definitions for sources without native SecOps parser support
- Pre-structured UDM event submission — bypasses SecOps parsing entirely
- Schema drift detection before data reaches Google Cloud
- Namespace and label assignment for multi-tenant data organization
Deployment options
- Docker / Kubernetes container deployment
- On-premises agent and agentless deployment
- Cloud-native (AWS, Azure, GCP)
- Air-gapped and self-managed configurations
- Multi-tenant MSSP configurations
Comparison
VirtualMetric vs. Alternatives
How does DataStream compare to other data pipeline solutions for Google SecOps?
|
Bindplane
|
Cribl
|
VirtualMetric DataStream
|
Logstash
|
|
|---|---|---|---|---|
| UDM normalization | Partial | Manual | Native | |
| Schema governance | ||||
| Data reduction | Basic | |||
| SecOps native | ||||
| OT / Legacy / IoT connectors | Limited | Add-ons req. | All widely used | |
| Multi-stage routing | Basic | SecOps + BigQuery + GCS | ||
| Raw data – cloud storage (Parquet) | Built-in | |||
| Schema drift detection | Real-time | |||
| Ingest cost reduction | 50–90% UDM-aware | |||
| Vendor lock-in | Google-focused | Low | Low | Low |
Frequently asked questions
Do I need a third-party pipeline tool if Google already offers Bindplane?
Bindplane handles basic log collection and forwarding – it’s useful for getting data into Google SecOps, but it doesn’t perform deterministic UDM normalization, schema governance, or multi-destination routing based on security value. DataStream operates as a full pipeline layer before data reaches SecOps: it normalizes logs from any source to UDM using vendor-specific parsers, validates schema before ingestion to eliminate parser drift, reduces ingest volume by 50–90%, and simultaneously routes data to Google SecOps, BigQuery, and Cloud Storage from a single pipeline. For enterprises with diverse source environments and cost control requirements, DataStream does what Bindplane alone cannot.
How does UDM normalization work, and do I need to write custom parsers manually?
Google SecOps uses the Unified Data Model (UDM) to standardize security telemetry across log sources so that detection rules and threat hunting queries work consistently across all data. Traditionally, this requires writing and maintaining custom parsers – a process that breaks every time a vendor changes their log format. DataStream handles UDM mapping automatically: vendor-specific pipeline templates map source fields to UDM equivalents at ingest time, covering Windows events, Linux syslog, network devices, and 30+ security vendors. No manual parser writing is required for supported sources, and schema drift is detected in real time before it affects your detection rules.
How do I connect sources that don’t have native SecOps parser support?
DataStream supports both agentless and agent-based collection. Agentless collection connects directly via WinRM (Windows) or SSH (Linux, macOS, Solaris, AIX) with no software installation. For network devices, OT/ICS systems, and security appliances, DataStream collects via Syslog and REST APIs, and supports standard log formats including CEF and LEEF. Pre-built pipeline templates cover major security vendors: Fortinet, Palo Alto Networks, Check Point, Cisco, CrowdStrike, and more. For sources without native SecOps parser support, custom log type definitions ensure logs are stored and routed correctly without requiring a custom Google SecOps parser.
How does DataStream handle sensitive data before it reaches Google SecOps?
DataStream applies policy-based redaction and masking in the pipeline before data leaves your environment. You define rules through a no-code UI to automatically remove or obfuscate sensitive fields: usernames, passwords, tokens, PII such as email addresses and phone numbers, or any custom field. Redaction is applied consistently across all incoming data, and the structure and security context of each log remain intact, so detection rules continue to work accurately. Policies are designed to support GDPR, HIPAA, and PCI DSS requirements, and redacted pipelines are audit-ready.
Can DataStream send data to both Google SecOps and Google Cloud Storage simultaneously?
Yes, multi-destination routing is a core capability. DataStream can simultaneously send UDM-normalized security events to Google SecOps for real-time threat detection; full data volume to a data lake for mid-term retention; and raw logs in Parquet format to Google Cloud Storage, AWS S3, or Azure Blob Storage for long-term archival at a fraction of SecOps ingest cost. Each destination receives the appropriate data tier based on security value, with a Correlation ID linking optimized SecOps data back to complete raw logs in archive storage for forensic investigations.
How long does it take to deploy DataStream for Google SecOps?
Initial deployment takes under 30 minutes. DataStream’s guided setup handles authentication, regional endpoint selection, and pipeline configuration automatically, no manual Google Cloud infrastructure setup is required. A live demo by our solution engineer shows complete integration in 13 minutes. Watch it on YouTube.
Talk to our experts
Schedule a technical session with our engineering team to see how DataStream compares to what you’re running today.
Try DataStream
Route data to your SIEM in the correct schema, with automatic normalization and up to 90% data volume reduction.
Try now