As part of a major SOC transformation programme, the customer, a global telco, was migrating to Google SecOps to modernise its threat detection and response capabilities.
But while the new platform offered world-class analytics and detection tools, the supporting processes were manual, inconsistent, and hard to govern.
- YARA-L detection rules were deployed manually via the console, making governance and version control difficult. This made it hard to maintain consistent logic across environments and slowed the rollout of new detections.
- Reference data, the shared intelligence that detection logic depends on, was stored in spreadsheets and local repositories. Analysts worked from their own versions, causing data drift, duplication, and false positives.
- And configuring log forwarders was a repetitive, manual task. Every new data source required unique setup and permissions, creating delays, errors, and gaps in visibility.
The result was a SOC that had the right tools, but lacked the agility and assurance to use them effectively. Changes took too long, governance was reactive, and visibility was inconsistent.
The approach: Embedding DevOps discipline into SecOps
RiverSafe combined its SOC, SIEM, and DevSecOps expertise to design a Terraform-based automation framework, one of the first enterprise-scale deployments using the official Google SecOps Terraform provider.
This became the foundation for a Detection-as-Code model that made detections, data, and log ingestion fully version-controlled, governed, and repeatable.
What they did:
1. Detection-as-Code
- Built Terraform modules to define, validate, and deploy YARA-L rules directly from version-controlled YAML manifests.
- Integrated automated validation pipelines via GitHub Actions to ensure rule syntax compliance and prevent deployment of invalid logic.
- Implemented Git tag–based versioning, ensuring each deployment of detection rules was tied to a specific, immutable version for traceability and rollback.
- Supported environment-based branching (pre-production and production), enabling controlled promotion of validated detections.
Outcome: Detection logic could now be deployed in minutes, not days, with full traceability and rollback. The SOC gained the ability to respond to emerging threats faster, with total confidence in what was running in each environment.
2. Reference Data Automation
- Created Terraform resources for defining and maintaining shared reference lists (e.g., IP, domain, and hash intelligence).
- Implemented efficient delta updates, ensuring only modified entries were applied to Google SecOps, improving accuracy and auditability.
- Introduced schema validation and consistency enforcement across multiple detection dependencies.
Outcome: Reference data became a single source of truth – consistent, accurate, and always up to date. This eliminated conflicting detections and false positives, improving the reliability of alerts and reducing noise in the SOC.
3. Forwarder and Log Ingestion Automation
- Automated configuration of Google SecOps forwarders for key data sources such as firewall, proxy, and endpoint logs.
- Standardized IAM setup, service accounts, and routing configuration to ensure secure and repeatable onboarding of new feeds.
Outcome: Reduced onboarding time from hours to minutes, ensuring secure, consistent ingestion of new log sources and faster access to critical telemetry across the enterprise
The impact: Faster, stronger, more secure operations
By embedding automation and DevOps practices into its SOC, the organization achieved measurable improvements in efficiency, governance, and resilience:
- 80% reduction in manual configuration, freeing analysts to focus on threat hunting, not maintenance.
- Near-zero configuration drift between environments, delivering consistent coverage across global operations.
- Faster rule deployment, from hours or days to minutes, accelerating the SOC’s ability to respond to threats.
- Clear governance and rollback capability, ensuring every change was tracked, tested, and trusted.
The SOC is now faster, leaner, and more confident and able to operate at enterprise scale with automation as its foundation. It’s a model for how modern enterprises can evolve from traditional operations to automated, code-driven security at scale.