Collect Duo authentication logs

Supported in:

Google secops SIEM

This document explains how to ingest Duo authentication logs to Google Security Operations using Amazon S3. The parser extracts the logs from JSON formatted messages. It transforms the raw log data into the Unified Data Model (UDM), mapping fields like user, device, application, location, and authentication details, while also handling various authentication factors and results to categorize security events. The parser also performs data cleaning, type conversion, and error handling to ensure data quality and consistency.

Before you begin

Google SecOps instance
Privileged access to Duo tenant (Admin API application)
Privileged access to AWS (S3, IAM, Lambda, EventBridge)

Configure Duo Admin API application

Sign in to Duo Admin Panel.
Go to Applications > Protect an Application.
Add Admin APIapplication.
Copy and save the following values to a secure location:
- Integration key (ikey)
- Secret key (skey)
- API hostname(for example, api-XXXXXXXX.duosecurity.com )
In Permissions, enable Grant read log(to read authentication logs).
Save the application.

Configure AWS S3 bucket and IAM for Google SecOps

Create Amazon S3 bucketfollowing this user guide: Creating a bucket
Save bucket Nameand Regionfor future reference (for example, duo-auth-logs ).
Create a user following this user guide: Creating an IAM user .
Select the created User.
Select the Security credentialstab.
Click Create Access Keyin the Access Keyssection.
Select Third-party serviceas the Use case.
Click Next.
Optional: add a description tag.
Click Create access key.
Click Download CSV fileto save the Access Keyand Secret Access Keyfor later use.
Click Done.
Select the Permissionstab.
Click Add permissionsin the Permissions policiessection.
Select Add permissions.
Select Attach policies directly
Search for and select the AmazonS3FullAccesspolicy.
Click Next.
Click Add permissions.

Configure the IAM policy and role for S3 uploads

Go to AWS console > IAM > Policies > Create policy > JSON tab.

Enter the following policy:

  { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Sid" 
 : 
  
 "AllowPutDuoAuthObjects" 
 , 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 "s3:PutObject" 
 , 
  
 "Resource" 
 : 
  
 "arn:aws:s3:::duo-auth-logs/*" 
  
 }, 
  
 { 
  
 "Sid" 
 : 
  
 "AllowGetStateObject" 
 , 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 "s3:GetObject" 
 , 
  
 "Resource" 
 : 
  
 "arn:aws:s3:::duo-auth-logs/duo/auth/state.json" 
  
 } 
  
 ] 
 }

Replace duo-auth-logs if you entered a different bucket name.

Click Next > Create policy.
Go to IAM > Roles > Create role > AWS service > Lambda.
Attach the newly created policy.
Name the role WriteDuoAuthToS3Role and click Create role.

Create the Lambda function

In the AWS Console, go to Lambda > Functions > Create function.
Click Author from scratch.
Provide the following configuration details:

Setting Value

Name duo_auth_to_s3

Runtime Python 3.13

Architecture x86_64

Execution role WriteDuoAuthToS3Role

Setting	Value
Name	`duo_auth_to_s3`
Runtime	Python 3.13
Architecture	x86_64
Execution role	`WriteDuoAuthToS3Role`

After the function is created, open the Codetab, delete the stub and enter the following code ( duo_auth_to_s3.py ):

  #!/usr/bin/env python3 
 # Lambda: Pull Duo Admin API v2 Authentication Logs to S3 (raw JSON pages) 
 # Notes: 
 # - Duo v2 requires mintime/maxtime in *milliseconds* (13-digit epoch). 
 # - Pagination via metadata.next_offset ("<millis>,<txid>"). 
 # - We save state (mintime_ms) in ms to resume next run without gaps. 
 import 
  
 os 
 , 
  
 json 
 , 
  
 time 
 , 
  
 hmac 
 , 
  
 hashlib 
 , 
  
 base64 
 , 
  
 email.utils 
 , 
  
 urllib.parse 
 from 
  
 urllib.request 
  
 import 
 Request 
 , 
 urlopen 
 from 
  
 urllib.error 
  
 import 
 HTTPError 
 , 
 URLError 
 import 
  
 boto3 
 DUO_IKEY 
 = 
 os 
 . 
 environ 
 [ 
 "DUO_IKEY" 
 ] 
 DUO_SKEY 
 = 
 os 
 . 
 environ 
 [ 
 "DUO_SKEY" 
 ] 
 DUO_API_HOSTNAME 
 = 
 os 
 . 
 environ 
 [ 
 "DUO_API_HOSTNAME" 
 ] 
 . 
 strip 
 () 
 S3_BUCKET 
 = 
 os 
 . 
 environ 
 [ 
 "S3_BUCKET" 
 ] 
 S3_PREFIX 
 = 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "S3_PREFIX" 
 , 
 "duo/auth/" 
 ) 
 . 
 strip 
 ( 
 "/" 
 ) 
 STATE_KEY 
 = 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "STATE_KEY" 
 , 
 "duo/auth/state.json" 
 ) 
 LIMIT 
 = 
 min 
 ( 
 int 
 ( 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "LIMIT" 
 , 
 "500" 
 )), 
 1000 
 ) 
 # default 100, max 1000 
 s3 
 = 
 boto3 
 . 
 client 
 ( 
 "s3" 
 ) 
 def 
  
 _canon_params 
 ( 
 params 
 : 
 dict 
 ) 
 - 
> str 
 : 
 parts 
 = 
 [] 
 for 
 k 
 in 
 sorted 
 ( 
 params 
 . 
 keys 
 ()): 
 v 
 = 
 params 
 [ 
 k 
 ] 
 if 
 v 
 is 
 None 
 : 
 continue 
 parts 
 . 
 append 
 ( 
 f 
 " 
 { 
 urllib 
 . 
 parse 
 . 
 quote 
 ( 
 str 
 ( 
 k 
 ), 
  
 '~' 
 ) 
 } 
 = 
 { 
 urllib 
 . 
 parse 
 . 
 quote 
 ( 
 str 
 ( 
 v 
 ), 
  
 '~' 
 ) 
 } 
 " 
 ) 
 return 
 "&" 
 . 
 join 
 ( 
 parts 
 ) 
 def 
  
 _sign 
 ( 
 method 
 : 
 str 
 , 
 host 
 : 
 str 
 , 
 path 
 : 
 str 
 , 
 params 
 : 
 dict 
 ) 
 - 
> dict 
 : 
 now 
 = 
 email 
 . 
 utils 
 . 
 formatdate 
 () 
 canon 
 = 
 " 
 \n 
 " 
 . 
 join 
 ([ 
 now 
 , 
 method 
 . 
 upper 
 (), 
 host 
 . 
 lower 
 (), 
 path 
 , 
 _canon_params 
 ( 
 params 
 )]) 
 sig 
 = 
 hmac 
 . 
 new 
 ( 
 DUO_SKEY 
 . 
 encode 
 ( 
 "utf-8" 
 ), 
 canon 
 . 
 encode 
 ( 
 "utf-8" 
 ), 
 hashlib 
 . 
 sha1 
 ) 
 . 
 hexdigest 
 () 
 auth 
 = 
 base64 
 . 
 b64encode 
 ( 
 f 
 " 
 { 
 DUO_IKEY 
 } 
 : 
 { 
 sig 
 } 
 " 
 . 
 encode 
 ()) 
 . 
 decode 
 () 
 return 
 { 
 "Date" 
 : 
 now 
 , 
 "Authorization" 
 : 
 f 
 "Basic 
 { 
 auth 
 } 
 " 
 } 
 def 
  
 _http 
 ( 
 method 
 : 
 str 
 , 
 path 
 : 
 str 
 , 
 params 
 : 
 dict 
 , 
 timeout 
 : 
 int 
 = 
 60 
 , 
 max_retries 
 : 
 int 
 = 
 5 
 ) 
 - 
> dict 
 : 
 host 
 = 
 DUO_API_HOSTNAME 
 assert 
 host 
 . 
 startswith 
 ( 
 "api-" 
 ) 
 and 
 host 
 . 
 endswith 
 ( 
 ".duosecurity.com" 
 ), 
\ "DUO_API_HOSTNAME must be like api-XXXXXXXX.duosecurity.com" 
 qs 
 = 
 _canon_params 
 ( 
 params 
 ) 
 url 
 = 
 f 
 "https:// 
 { 
 host 
 }{ 
 path 
 } 
 " 
 + 
 ( 
 f 
 "? 
 { 
 qs 
 } 
 " 
 if 
 qs 
 else 
 "" 
 ) 
 attempt 
 , 
 backoff 
 = 
 0 
 , 
 1.0 
 while 
 True 
 : 
 req 
 = 
 Request 
 ( 
 url 
 , 
 method 
 = 
 method 
 . 
 upper 
 ()) 
 req 
 . 
 add_header 
 ( 
 "Accept" 
 , 
 "application/json" 
 ) 
 for 
 k 
 , 
 v 
 in 
 _sign 
 ( 
 method 
 , 
 host 
 , 
 path 
 , 
 params 
 ) 
 . 
 items 
 (): 
 req 
 . 
 add_header 
 ( 
 k 
 , 
 v 
 ) 
 try 
 : 
 with 
 urlopen 
 ( 
 req 
 , 
 timeout 
 = 
 timeout 
 ) 
 as 
 r 
 : 
 return 
 json 
 . 
 loads 
 ( 
 r 
 . 
 read 
 () 
 . 
 decode 
 ( 
 "utf-8" 
 )) 
 except 
 HTTPError 
 as 
 e 
 : 
 if 
 ( 
 e 
 . 
 code 
 == 
 429 
 or 
 500 
< = 
 e 
 . 
 code 
< = 
 599 
 ) 
 and 
 attempt 
< max_retries 
 : 
 time 
 . 
 sleep 
 ( 
 backoff 
 ); 
 attempt 
 += 
 1 
 ; 
 backoff 
 *= 
 2 
 ; 
 continue 
 raise 
 except 
 URLError 
 : 
 if 
 attempt 
< max_retries 
 : 
 time 
 . 
 sleep 
 ( 
 backoff 
 ); 
 attempt 
 += 
 1 
 ; 
 backoff 
 *= 
 2 
 ; 
 continue 
 raise 
 def 
  
 _read_state_ms 
 () 
 - 
> int 
 | 
 None 
 : 
 try 
 : 
 obj 
 = 
 s3 
 . 
 get_object 
 ( 
 Bucket 
 = 
 S3_BUCKET 
 , 
 Key 
 = 
 STATE_KEY 
 ) 
 val 
 = 
 json 
 . 
 loads 
 ( 
 obj 
 [ 
 "Body" 
 ] 
 . 
 read 
 ()) 
 . 
 get 
 ( 
 "mintime" 
 ) 
 if 
 val 
 is 
 None 
 : 
 return 
 None 
 # Backward safety: if seconds were stored, convert to ms 
 return 
 int 
 ( 
 val 
 ) 
 * 
 1000 
 if 
 len 
 ( 
 str 
 ( 
 int 
 ( 
 val 
 ))) 
< = 
 10 
 else 
 int 
 ( 
 val 
 ) 
 except 
 Exception 
 : 
 return 
 None 
 def 
  
 _write_state_ms 
 ( 
 mintime_ms 
 : 
 int 
 ): 
 body 
 = 
 json 
 . 
 dumps 
 ({ 
 "mintime" 
 : 
 int 
 ( 
 mintime_ms 
 )}) 
 . 
 encode 
 ( 
 "utf-8" 
 ) 
 s3 
 . 
 put_object 
 ( 
 Bucket 
 = 
 S3_BUCKET 
 , 
 Key 
 = 
 STATE_KEY 
 , 
 Body 
 = 
 body 
 , 
 ContentType 
 = 
 "application/json" 
 ) 
 def 
  
 _write_page 
 ( 
 payload 
 : 
 dict 
 , 
 when_epoch_s 
 : 
 int 
 , 
 page 
 : 
 int 
 ) 
 - 
> str 
 : 
 key 
 = 
 f 
 " 
 { 
 S3_PREFIX 
 } 
 / 
 { 
 time 
 . 
 strftime 
 ( 
 '%Y/%m/ 
 %d 
 ' 
 , 
  
 time 
 . 
 gmtime 
 ( 
 when_epoch_s 
 )) 
 } 
 /duo-auth- 
 { 
 page 
 : 
 05d 
 } 
 .json" 
 s3 
 . 
 put_object 
 ( 
 Bucket 
 = 
 S3_BUCKET 
 , 
 Key 
 = 
 key 
 , 
 Body 
 = 
 json 
 . 
 dumps 
 ( 
 payload 
 , 
 separators 
 = 
 ( 
 "," 
 , 
 ":" 
 )) 
 . 
 encode 
 ( 
 "utf-8" 
 ), 
 ContentType 
 = 
 "application/json" 
 , 
 ) 
 return 
 key 
 def 
  
 fetch_and_store 
 (): 
 now_s 
 = 
 int 
 ( 
 time 
 . 
 time 
 ()) 
 # Duo recommends a ~2-minute delay buffer; use maxtime = now - 120 seconds (in ms) 
 maxtime_ms 
 = 
 ( 
 now_s 
 - 
 120 
 ) 
 * 
 1000 
 mintime_ms 
 = 
 _read_state_ms 
 () 
 or 
 ( 
 maxtime_ms 
 - 
 3600 
 * 
 1000 
 ) 
 # 1 hour on first run 
 page 
 = 
 0 
 total 
 = 
 0 
 next_offset 
 = 
 None 
 while 
 True 
 : 
 params 
 = 
 { 
 "mintime" 
 : 
 mintime_ms 
 , 
 "maxtime" 
 : 
 maxtime_ms 
 , 
 "limit" 
 : 
 LIMIT 
 } 
 if 
 next_offset 
 : 
 params 
 [ 
 "next_offset" 
 ] 
 = 
 next_offset 
 data 
 = 
 _http 
 ( 
 "GET" 
 , 
 "/admin/v2/logs/authentication" 
 , 
 params 
 ) 
 _write_page 
 ( 
 data 
 , 
 maxtime_ms 
 // 
 1000 
 , 
 page 
 ) 
 page 
 += 
 1 
 resp 
 = 
 data 
 . 
 get 
 ( 
 "response" 
 ) 
 items 
 = 
 resp 
 if 
 isinstance 
 ( 
 resp 
 , 
 list 
 ) 
 else 
 [] 
 total 
 += 
 len 
 ( 
 items 
 ) 
 meta 
 = 
 data 
 . 
 get 
 ( 
 "metadata" 
 ) 
 or 
 {} 
 next_offset 
 = 
 meta 
 . 
 get 
 ( 
 "next_offset" 
 ) 
 if 
 not 
 next_offset 
 : 
 break 
 # Advance window to maxtime_ms for next run 
 _write_state_ms 
 ( 
 maxtime_ms 
 ) 
 return 
 { 
 "ok" 
 : 
 True 
 , 
 "pages" 
 : 
 page 
 , 
 "events" 
 : 
 total 
 , 
 "next_mintime_ms" 
 : 
 maxtime_ms 
 } 
 def 
  
 lambda_handler 
 ( 
 event 
 = 
 None 
 , 
 context 
 = 
 None 
 ): 
 return 
 fetch_and_store 
 () 
 if 
 __name__ 
 == 
 "__main__" 
 : 
 print 
 ( 
 lambda_handler 
 ())

Go to Configuration > Environment variables > Edit > Add new environment variable.

Enter the following environment variables provided, replacing with your values:

Key	Example
`S3_BUCKET`	`duo-auth-logs`
`S3_PREFIX`	`duo/auth/`
`STATE_KEY`	`duo/auth/state.json`
`DUO_IKEY`	`DIXYZ...`
`DUO_SKEY`	`****************`
`DUO_API_HOSTNAME`	`api-XXXXXXXX.duosecurity.com`
`LIMIT`	`500`

After the function is created, stay on its page (or open Lambda > Functions > your‑function).
Select the Configurationtab.
In the General configurationpanel click Edit.
Change Timeoutto 5 minutes (300 seconds)and click Save.

Note: Timeout is a hard upper limit, meaning if the function is still running when the timer hits 5 minutes, AWS Lambda will terminate it. Any shorter execution just finishes normally; you are billed only for the actual run time.

Create an EventBridge schedule

Go to Amazon EventBridge > Scheduler > Create schedule.
Provide the following configuration details:
- Recurring schedule: Rate( 1 hour ).
- Target: your Lambda function.
- Name: duo-auth-1h .
Click Create schedule.

Optional: Create read-only IAM user & keys for Google SecOps

In the AWS Console, go to IAM > Users, then click Add users.
Provide the following configuration details:
- User: Enter a unique name (for example, secops-reader )
- Access type: Select Access key - Programmatic access
- Click Create user.
Attach minimal read policy (custom): Users > select secops-reader > Permissions > Add permissions > Attach policies directly > Create policy

In the JSON editor, enter the following policy:

  { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 [ 
 "s3:GetObject" 
 ], 
  
 "Resource" 
 : 
  
 "arn:aws:s3:::<your-bucket>/*" 
  
 }, 
  
 { 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 [ 
 "s3:ListBucket" 
 ], 
  
 "Resource" 
 : 
  
 "arn:aws:s3:::<your-bucket>" 
  
 } 
  
 ] 
 }

Set the name to secops-reader-policy .
Go to Create policy > search/select > Next > Add permissions.
Go to Security credentials > Access keys > Create access key.
Download the CSV(these values are entered into the feed).

Configure a feed in Google SecOps to ingest Duo Authentication Logs

Go to SIEM Settings > Feeds.
Click + Add New Feed.
In the Feed namefield, enter a name for the feed (for example, Duo Authentication Logs ).
Select Amazon S3 V2as the Source type.
Select Duo Authas the Log type.
Click Next.
Specify values for the following input parameters:
- S3 URI: s3://duo-auth-logs/duo/auth/
- Source deletion options: Select the deletion option according to your preference.
- Maximum File Age: Default 180 Days.
- Access Key ID: User access key with access to the S3 bucket.
- Secret Access Key: User secret key with access to the S3 bucket.
- Asset namespace: the asset namespace .
- Ingestion labels: the label applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`access_device.browser`	`target.resource.attribute.labels.value`	If `access_device.browser` is present, its value is mapped to the UDM.
`access_device.hostname`	`principal.hostname`	If `access_device.hostname` is present and not empty, its value is mapped to the UDM. If it's empty and the `event_type` is USER_CREATION, the `event_type` is changed to USER_UNCATEGORIZED. If `access_device.hostname` is empty and `hostname` field exists, the value of `hostname` is used.
`access_device.ip`	`principal.ip`	If `access_device.ip` exists and is a valid IPv4 address, its value is mapped to the UDM. If it's not a valid IPv4 address, it's added as a string value to `additional.fields` with key `access_device.ip` .
`access_device.location.city`	`principal.location.city`	If present, the value is mapped to the UDM.
`access_device.location.country`	`principal.location.country_or_region`	If present, the value is mapped to the UDM.
`access_device.location.state`	`principal.location.state`	If present, the value is mapped to the UDM.
`access_device.os`	`principal.platform`	If present, the value is translated to the corresponding UDM value (MAC, WINDOWS, LINUX).
`access_device.os_version`	`principal.platform_version`	If present, the value is mapped to the UDM.
`application.key`	`target.resource.id`	If present, the value is mapped to the UDM.
`application.name`	`target.application`	If present, the value is mapped to the UDM.
`auth_device.ip`	`target.ip`	If present and not "None", the value is mapped to the UDM.
`auth_device.location.city`	`target.location.city`	If present, the value is mapped to the UDM.
`auth_device.location.country`	`target.location.country_or_region`	If present, the value is mapped to the UDM.
`auth_device.location.state`	`target.location.state`	If present, the value is mapped to the UDM.
`auth_device.name`	`target.hostname` OR `target.user.phone_numbers`	If `auth_device.name` is present and is a phone number (after normalization), it's added to `target.user.phone_numbers` . Otherwise, it's mapped to `target.hostname` .
`client_ip`	`target.ip`	If present and not "None", the value is mapped to the UDM.
`client_section`	`target.resource.attribute.labels.value`	If `client_section` is present, its value is mapped to the UDM with the key `client_section` .
`dn`	`target.user.userid`	If `dn` is present and `user.name` and `username` are not, the `userid` is extracted from the `dn` field using grok and mapped to the UDM. The `event_type` is set to USER_LOGIN.
`event_type`	`metadata.product_event_type` AND `metadata.event_type`	The value is mapped to `metadata.product_event_type` . It's also used to determine the `metadata.event_type` : "authentication" becomes USER_LOGIN, "enrollment" becomes USER_CREATION, and if it's empty or neither of those, it becomes GENERIC_EVENT.
`factor`	`extensions.auth.mechanism` AND `extensions.auth.auth_details`	The value is translated to the corresponding UDM `auth.mechanism` value (HARDWARE_KEY, REMOTE_INTERACTIVE, LOCAL, OTP). The original value is also mapped to `extensions.auth.auth_details` .
`hostname`	`principal.hostname`	If present and `access_device.hostname` is empty, the value is mapped to the UDM.
`log_format`	`target.resource.attribute.labels.value`	If `log_format` is present, its value is mapped to the UDM with the key `log_format` .
`log_level.__class_uuid__`	`target.resource.attribute.labels.value`	If `log_level.__class_uuid__` is present, its value is mapped to the UDM with the key `__class_uuid__` .
`log_level.name`	`target.resource.attribute.labels.value` AND `security_result.severity`	If `log_level.name` is present, its value is mapped to the UDM with the key `name` . If the value is "info", `security_result.severity` is set to INFORMATIONAL.
`log_logger.unpersistable`	`target.resource.attribute.labels.value`	If `log_logger.unpersistable` is present, its value is mapped to the UDM with the key `unpersistable` .
`log_namespace`	`target.resource.attribute.labels.value`	If `log_namespace` is present, its value is mapped to the UDM with the key `log_namespace` .
`log_source`	`target.resource.attribute.labels.value`	If `log_source` is present, its value is mapped to the UDM with the key `log_source` .
`msg`	`security_result.summary`	If present and `reason` is empty, the value is mapped to the UDM.
`reason`	`security_result.summary`	If present, the value is mapped to the UDM.
`result`	`security_result.action_details` AND `security_result.action`	If present, the value is mapped to `security_result.action_details` . "success" or "SUCCESS" translates to `security_result.action` ALLOW, otherwise BLOCK.
`server_section`	`target.resource.attribute.labels.value`	If `server_section` is present, its value is mapped to the UDM with the key `server_section` .
`server_section_ikey`	`target.resource.attribute.labels.value`	If `server_section_ikey` is present, its value is mapped to the UDM with the key `server_section_ikey` .
`status`	`security_result.action_details` AND `security_result.action`	If present, the value is mapped to `security_result.action_details` . "Allow" translates to `security_result.action` ALLOW, "Reject" translates to BLOCK.
`timestamp`	`metadata.event_timestamp` AND `event.timestamp`	The value is converted to a timestamp and mapped to both `metadata.event_timestamp` and `event.timestamp` .
`txid`	`metadata.product_log_id` AND `network.session_id`	The value is mapped to both `metadata.product_log_id` and `network.session_id` .
`user.groups`	`target.user.group_identifiers`	All values in the array are added to `target.user.group_identifiers` .
`user.key`	`target.user.product_object_id`	If present, the value is mapped to the UDM.
`user.name`	`target.user.userid`	If present, the value is mapped to the UDM.
`username`	`target.user.userid`	If present and `user.name` is not, the value is mapped to the UDM. The `event_type` is set to USER_LOGIN.
(Parser Logic)	`metadata.vendor_name`	Always set to "DUO_SECURITY".
(Parser Logic)	`metadata.product_name`	Always set to "MULTI-FACTOR_AUTHENTICATION".
(Parser Logic)	`metadata.log_type`	Taken from the raw log's top-level `log_type` field.
(Parser Logic)	`extensions.auth.type`	Always set to "SSO".

Need more help? Get answers from Community members and Google SecOps professionals.