SOC Transformation With RiverSafe And Google SecOps

In the course of its comprehensive SOC (Security Operations Center) transformation program, a global telecommunications company has transitioned to Google SecOps to enhance its threat detection and response capacities. Despite the new platform's sophisticated analytics and detection tools, the existing support processes remained largely manual, inconsistent, and challenging to manage.

YARA-L detection rules were individually deployed via the console, complicating governance and version control, which impeded consistent logic maintenance across various environments and slowed the deployment of new detections. Reference data, critical for detection logic, was kept in spreadsheets and local repositories. Analysts operated with their personal versions, leading to data discrepancies, duplications, and false positives. Moreover, configuring log forwarders involved repetitive manual tasks, with each new data source necessitating unique setup and permissions, resulting in delays and errors, thus limiting visibility.

The overall effect was a SOC equipped with the right tools but lacking the agility and reliability necessary for optimal usage. Changes were sluggish, governance was reactive, and visibility inconsistent.

Introducing DevOps Principles to SecOps

RiverSafe leveraged its SOC, SIEM, and DevSecOps proficiency to create a Terraform-based automation framework, marking a notable enterprise-scale deployment using the official Google SecOps Terraform provider.

This framework formed the base for a Detection-as-Code model that allowed detections, data, and log ingestion to be thoroughly version-controlled, governed, and reproducible.

Detection-as-Code Enhancement

RiverSafe developed Terraform modules for defining, validating, and deploying YARA-L rules directly from YAML

RiverSafe developed Terraform modules for defining, validating, and deploying YARA-L rules directly from YAML manifests stored in version-control. Automatic validation pipelines were integrated via GitHub Actions to ensure rule syntax compliance and prevent invalid logic deployment. Git tag–based versioning was implemented, tying each deployment to a specific, immutable version for easy traceability and rollback. Environment-based branching was also facilitated, supporting controlled promotions of reviewed detections from pre-production to production.

This approach allowed detection logic to be deployed in minutes instead of days, with full traceability and rollback capabilities. Consequently, the SOC could respond to emerging threats more rapidly, with complete confidence in the operational status of each environment.

Automated Reference Data Management

RiverSafe created Terraform resources for defining and maintaining shared reference lists, such as IP, domain, and hash intelligence. Efficient delta updates were implemented, ensuring only modified entries were applied to Google SecOps, which improved accuracy and auditability. Consistency and schema validation were enforced across multiple detection dependencies.

This process established reference data as a single source of truth, eliminating conflicting detections and false positives while enhancing alert reliability and reducing background noise within the SOC.

Forwarder and Log Ingestion Automation

RiverSafe automated the configuration of Google SecOps forwarders for essential data sources like firewall, proxy, and endpoint logs. Standardization of IAM setup, service accounts, and routing configuration ensured secure and repeatable onboarding of new data feeds.

This automation reduced onboarding time from hours to minutes, ensuring secure, consistent ingestion of new log sources, and faster access to essential telemetry throughout the enterprise.

Enhancements in Operations and Security

By embedding automation and DevOps methodologies into its SOC, the organization has realized significant improvements in efficiency, governance, and resilience:

An 80% reduction in manual configurations, allowing analysts to prioritize threat hunting over maintenance tasks.
Reduced configuration drift between environments, ensuring consistent coverage across global operations.
Accelerated rule deployment—from hours or days to minutes—enhancing the SOC's threat response capabilities.
Clear governance and rollback procedures, providing full tracking, testing, and trusted changes.

The SOC now operates faster, more leanly, and with greater assurance, equipped to function at an enterprise scale with automation as its core. This model exemplifies how modern enterprises can transition from traditional operations to automated, code-driven security on a large scale.

Show full press release

As part of a major SOC transformation programme, the customer, a global telco, was migrating to Google SecOps to modernise its threat detection and response capabilities.

But while the new platform offered world-class analytics and detection tools, the supporting processes were manual, inconsistent, and hard to govern.

YARA-L detection rules were deployed manually via the console, making governance and version control difficult. This made it hard to maintain consistent logic across environments and slowed the rollout of new detections.
Reference data, the shared intelligence that detection logic depends on, was stored in spreadsheets and local repositories. Analysts worked from their own versions, causing data drift, duplication, and false positives.
And configuring log forwarders was a repetitive, manual task. Every new data source required unique setup and permissions, creating delays, errors, and gaps in visibility.

The result was a SOC that had the right tools, but lacked the agility and assurance to use them effectively. Changes took too long, governance was reactive, and visibility was inconsistent.

The approach: Embedding DevOps discipline into SecOps

RiverSafe combined its SOC, SIEM, and DevSecOps expertise to design a Terraform-based automation framework, one of the first enterprise-scale deployments using the official Google SecOps Terraform provider.

This became the foundation for a Detection-as-Code model that made detections, data, and log ingestion fully version-controlled, governed, and repeatable.

What they did:

1. Detection-as-Code

Built Terraform modules to define, validate, and deploy YARA-L rules directly from version-controlled YAML manifests.
Integrated automated validation pipelines via GitHub Actions to ensure rule syntax compliance and prevent deployment of invalid logic.
Implemented Git tag–based versioning, ensuring each deployment of detection rules was tied to a specific, immutable version for traceability and rollback.
Supported environment-based branching (pre-production and production), enabling controlled promotion of validated detections.

Outcome: Detection logic could now be deployed in minutes, not days, with full traceability and rollback. The SOC gained the ability to respond to emerging threats faster, with total confidence in what was running in each environment.

2. Reference Data Automation

Created Terraform resources for defining and maintaining shared reference lists (e.g., IP, domain, and hash intelligence).
Implemented efficient delta updates, ensuring only modified entries were applied to Google SecOps, improving accuracy and auditability.
Introduced schema validation and consistency enforcement across multiple detection dependencies.

Outcome: Reference data became a single source of truth – consistent, accurate, and always up to date. This eliminated conflicting detections and false positives, improving the reliability of alerts and reducing noise in the SOC.

3. Forwarder and Log Ingestion Automation

Automated configuration of Google SecOps forwarders for key data sources such as firewall, proxy, and endpoint logs.
Standardized IAM setup, service accounts, and routing configuration to ensure secure and repeatable onboarding of new feeds.

Outcome: Reduced onboarding time from hours to minutes, ensuring secure, consistent ingestion of new log sources and faster access to critical telemetry across the enterprise

The impact: Faster, stronger, more secure operations

By embedding automation and DevOps practices into its SOC, the organization achieved measurable improvements in efficiency, governance, and resilience:

80% reduction in manual configuration, freeing analysts to focus on threat hunting, not maintenance.
Near-zero configuration drift between environments, delivering consistent coverage across global operations.
Faster rule deployment, from hours or days to minutes, accelerating the SOC’s ability to respond to threats.
Clear governance and rollback capability, ensuring every change was tracked, tested, and trusted.

The SOC is now faster, leaner, and more confident and able to operate at enterprise scale with automation as its foundation. It’s a model for how modern enterprises can evolve from traditional operations to automated, code-driven security at scale.

Download PDF version Download PDF version

Add as a preferred source on Google